Updating a user’s Lifecycle Status

• Activated users can be Deactivated, Suspended or Deleted.

• Deactivated users can be Activated or Deleted. They can’t be Suspended.

• Suspended users can be Unsuspended, Deactivated or Deleted. They can’t be Activated, but Unsuspending achieves the same outcome.

Updating a user’s Profile Attributes

• A user can be Activated and have their attributes updated as part of the same API call.

• A user cannot have their attributes updated if they are in Deactivated state, but can if they are in a Suspended (or Activated) state.

• A user cannot have their attributes updated if they are also being Deactivated as part of the same API call either. In this case, only the Deactivating will succeed.

Adding/Removing users from Groups & IdP Apps

• Active or Suspended users can be both added & removed from Groups and IdP Apps.

• Deactivated users can be removed from Groups & IdP Apps, but they cannot be added to Groups & IdP Apps.

Static vs Dynamic Groups

Ploy can handle granting & removing access for both Static & Dynamic Groups in a seamless manner:

• Static: Static groups are easy. Users will simply be added and removed from the group on demand.

• Dynamic: With Dynamic groups, the net result will be the same. However, in practice, what happens is as follows:

  • Granting Access: If we grant access to a Dynamic Group to a user that previously did not have access, then Okta will mark that user as being managed ‘Manually’ - effectively making the group static for that one user.

  • Revoke Access: If we revoke access to a Dynamic Group to a user that has access via the Dynamic Rule, then we will automatically edit that rule to Except the user.