Business Problem
Following the M&A app migration completed in Scenario 02, the acquired workforce was fully onboarded into Okta — provisioned from Active Directory via the Okta AD Agent and authenticated through Okta SAML SSO. The migration eliminated the technical debt of the legacy IdP. It did not eliminate the operational debt of manual access management.
Every lifecycle event — a new hire joining the HR team, an analyst transferring to Security, a departing employee — required an IAM administrator to log into Okta, locate the user, and manually modify app assignments. There were no guardrails and no audit trail proving the change had been made within any defined SLA. Delays in provisioning were impacting Day 1 readiness. Delays in deprovisioning created lingering access that would fail a SOC 2 audit.
Risk
- Manual provisioning with no SLA — Day 1 access delays impacting new hire experience
- Manual deprovisioning with no enforcement — offboarded users retaining app access
- No audit trail proving lifecycle changes were made within policy
- SOC 2 CC6.2 and CC6.3 exposure — no documented access provisioning or removal evidence
Scope
| Field | Detail |
|---|---|
| Affected population | Acquired workforce migrated to Okta in Scenario 02 |
| Platform | Okta Workflows |
| Lifecycle events covered | Joiner, Mover, Leaver |
| Trigger source | Okta-native group membership changes — AD-synced groups do not fire native Workflow trigger events |
| Audit destination | JML Mover Audit Log table (timestamped rows) |
| Compliance target | SOC 2 Type II — CC6.2, CC6.3 |
Solution Design — 3 Workflows
Joiner — HR Portal Provisioning
Triggers on User Added to Group scoped via Continue If gate to GRP-WORKFLOWS-HRApps — an Okta-native group used as the trigger source. On trigger, IDSentinel HR Portal is assigned and the provisioning event logged. Okta-native groups required because AD-synced group changes via the AD Agent do not fire native Workflow events.
Mover — HR to Security Role Transfer
Triggers on User Added to Group scoped to GRP-ACCESS-SecurityApps. On trigger: HR Portal removed, Security Tools assigned, timestamped row written to JML Mover Audit Log table. Single trigger used — Security group addition chosen as the authoritative role-change signal.
Leaver — Deactivation Offboarding Log
Triggers on User Deactivated. On trigger, event logged via Compose. Explicit app removal and account suspension removed after implementation — Okta clears AppUser records as part of deactivation (Remove App returns 404) and Suspend User returns 400 on already-deactivated accounts. Deactivation is the terminal access removal event in Okta's lifecycle model.
Implementation
-
01
Joiner Flow — Validated
Triggered by adding a pilot user to
GRP-WORKFLOWS-HRAppsdirectly in Okta. HR Portal appeared in the user's application list without manual admin intervention. Execution log confirmed successful flow run.// 01-joiner-flow-canvas
// 02-joiner-flow-execution-log
// 03-joiner-app-assignment-confirmed
-
02
Mover Flow — Validated
Triggered by adding a pilot user to
GRP-ACCESS-SecurityApps. HR Portal removed from the user's app list, Security Tools appeared in its place. JML Mover Audit Log table confirmed a timestamped row — user login, previous app, new app, and timestamp all captured.// 04-mover-flow-canvas
// 05-mover-flow-execution-log
// 06-mover-app-swap-confirmed
// 07-mover-audit-log-table
-
03
Leaver Flow — Validated
Triggered by deactivating a pilot user. Execution log confirmed successful run. Deactivated account confirmed with zero app assignments — Okta's deactivation event clears all AppUser records. Cannot authenticate regardless of residual group membership records.
// 08-leaver-flow-canvas
// 09-leaver-flow-execution-log
// 10-leaver-zero-app-assignments
-
04
Break/Fix — Mover Flow Firing on Wrong Group
- Root cause: Continue If gate temporarily scoped to
GRP-WORKFLOWS-HRAppsinstead ofGRP-ACCESS-SecurityApps— flow fired on HR group addition, incorrectly removing HR Portal and assigning Security Tools - Fix: Restored value B on the Continue If card to
GRP-ACCESS-SecurityApps - Validation: User added to
GRP-WORKFLOWS-HRApps— flow did not fire
// 12-breakfix-incorrect-assignment
// 13-breakfix-corrected-flow-canvas
// 14-breakfix-corrected-execution-log
- Root cause: Continue If gate temporarily scoped to
Outcome
SOC 2 Compliance Mapping
| Control | Framework | Evidence |
|---|---|---|
| CC6.2 | SOC 2 | Access provisioning tied directly to role-aligned group membership — Joiner flow execution log proves no manual provisioning path |
| CC6.3 | SOC 2 | Deactivation event triggers Leaver flow — execution log provides timestamped audit evidence of offboarding |
Files
-
diagrams/jml-workflow-architecture.pngFlow diagram — trigger, logic, and action for all three workflows -
evidence/soc2-cc6.2-cc6.3-mapping.mdSOC 2 control mapping with screenshot references -
runbooks/jml-runbook.mdOperational runbook — how to validate, modify, or disable each workflow -
screenshots/Execution evidence for all three flows and the break/fix scenario