Okta (Standard Level) Access Requirements

Why do we need access to your Okta instance?

The Moveworks service interacts with your Okta instance to carry out one or more of the following:

  • fulfill employees' software provisioning requests;
  • identify employees; and
  • help employees reset passwords, unlock locked accounts, help employees reset their multi-factor authentication, and warn employees when their password is about to expire.

Note that not all Moveworks+Okta deployments handle all of the tasks mentioned above. In some deployments, password and account issues are handled through Moveworks' direct interaction with Active Directory.

Service Account Permissions Needed:

The service account in Okta allows the Moveworks service to fulfill provisioning requests by adding users to groups in Okta. Create a bot service account dedicated to Moveworks and share the API token of this account with your Moveworks Customer Success team. Moveworks does not need the credentials of this service account, the token is sufficient for the integration.

For organizations where Moveworks integrates with Okta to give employees access to software, the API token must have the following permissions in Okta:

  • Group Admin
  • App Admin


Scoping down the Group Admin Role

Within Okta, optionally, you can chose to constrain the Group Admin Role to only allow it to operate on a specific subset of groups. This way, the Moveworks token can ONLY access the required groups you would like it to operate on.

For organizations where Moveworks integrates with Okta to help employees with passwords, account unlock, and multi-factor reset, the API token must have the following permissions in Okta:

  • Help Desk Admin
  • Report Admin

For more information on what permissions are entailed in each role, please refer to Okta's documentation.

What is the account used for:

  • This account is used for the bot to be able to add users to Okta groups for app provisioning and identifying user attributes when interacting with the bot.

Providing the Credentials

Once you have obtained the credentials, please notify your Customer Success team. They will provide an encrypted method of transferring the information. You may also opt for your preferred method if necessary.