Why do we need access to your Okta instance?

The Moveworks service interacts with your Okta instance to carry out one or more of the following:

• fulfill employees' software provisioning requests;
• identify employees; and
• help employees reset passwords, unlock locked accounts, help employees reset their multi-factor authentication, and warn employees when their password is about to expire.

Note that not all Moveworks+Okta deployments handle all of the tasks mentioned above. In some deployments, password and account issues are handled through Moveworks' direct interaction with Active Directory.

Service Account Permissions Needed:

The service account in Okta allows the Moveworks service to fulfill provisioning requests by adding users to groups in Okta. Create a bot service account dedicated to Moveworks and share the API token of this account with your Moveworks Customer Success team. Moveworks does not need the credentials of this service account, the token is sufficient.

For organizations where Moveworks integrates with Okta to give employees access to software, the API token must have the following permissions in Okta:

• Group Admin
• App Admin

For organizations where Moveworks integrates with Okta to help employees with passwords, account unlock, and multi-factor reset, the API token must have the following permissions in Okta:

• Help Desk Admin
• Report Admin

What is the account used for:

• This account is used for the bot to be able to add users to Okta groups for app provisioning and identifying user attributes when interacting with the bot.

Providing the Credentials

Once you have obtained the credentials, please notify your Customer Success team. They will provide an encrypted method of transferring the information. You may also opt for your preferred method if necessary.