Workflows for Lifecycle Management

Transcript

Arvil Nagpal: Hi guys. Welcome to Oktane. I'm sure when this gets millions of hits on YouTube, we'll all forget that we're in the middle of the Coronavirus but, here we are, I'm talking about Workflows for Lifecycle Management. We're going to be talking about IT automation in this session and going deep into Okta Workflows, as I'm sure you saw in the keynote.

Arvil Nagpal: This includes forward looking statements, and you can look at the past slides for more information.

Arvil Nagpal: My name is Arvil Nagpal. I'm a senior product manager here with Okta. I work exclusively on the Okta Workflows product, and I'm going to be joined today by Brent Wiley and Benarjeey Reddy. They both work at Okta customer, Discount Tire, and they're going to be talking about their own journey using and seeing the value of Okta Workflows. 

“Joiner, Mover, Leaver” is how we describe how Okta manages life cycles today. It’s related to all the different user identities that might occur within your organization.

Arvil Nagpal: “Joiner” is the process in which identities are brought in from a third-party system and onboarded. It ensures that all the users in your environment have the applications that they need access to on Day One.

“Mover” flows are around what happens at a steady state with an organization when people change roles. They get promoted, they get married, they take leaves of absence, and their application access needs to be changed based on those actions. 

And then finally, “Leaver” flows are about how you, as an organization, maintain a strong security posture and make sure that access is cut off when employees or contractors leave your organization.

Arvil Nagpal: Our existing Lifecycle Management product adds automation in three areas. Provisioning capabilities have to do with creating, updating, and deactivating accounts and third-party systems like Box and Slack. That also extends to our integration partners that have built on top of SCIM, of which we have more than 200.

Arvil Nagpal: We also have capabilities to manage identity life cycles. This has to do with our HR integrations, as well as maintaining user states, like “active,” “inactive,” and “suspended.” 

And then finally, access grants falls in two buckets. One, it’s a set of policies like group rules around who should have access to what. And two, it's a set of lightweight app request workflows that we also have modeled in the product.

Arvil Nagpal: Lifecycle Management drives benefits across the organization with its automation capabilities. For IT, it’s about reducing total cost of ownership, deprecating legacy code, and improving your security posture when offboarding users. For HR, it's about enhancing the employee experience so they have everything they need access to on Day One.

Lastly, for employees—they're happier. You avoid delays with getting them access to different applications with profile updates and there's a consolidated place to view your profile as well, as it relates to identity.

Arvil Nagpal: So today, our Lifecycle Management product, or what we call LCM, helps automate common scenarios. Customers value our product because it's prescriptive, easy to use, and easy to set up to automate these Joiner, Mover, Leaver flows.

As we've progressed, however, organizations want more flexibility. They want more customization in how they want to handle Joiner, Mover, Leaver scenarios. 

These customizations fall into three buckets. The first: Logical Conditions. These are the How and the Why I want an automation to occur. For example, I'd like to customize onboarding processes for employees versus contractors. 

The second one is really around timing, and this is a problem of When. For example, when an employee leaves, I need to make sure they still have access to their payroll system for 90 days. 

And then finally, we marry those logical and timing conditions with being able to implement multiple actions in any system. For example, for a contractor to FTE conversion, I want to update their permissions in G Suite and notify their manager.

Arvil Nagpal: So, what is Okta Workflows? Okta Workflows is a powerful engine that is built on a no-code platform that automates identity-specific tasks. No-code is really critical. It doesn't take a developer to build complex automations. 

Every single flow that you build always starts with an event. In this case, the event is that Okta assigns a user to Salesforce. You can then implement logical conditions. Like, is the user on an EMEA sales team? If so, then you would like to assign the user to an EMEA territory, and then add them to the EMEA sales channel and send a welcome message. It's this “if this, then that” automation platform that we believe will really take the Lifecycle Management product to the next level.

Arvil Nagpal: Just wanted to announce, I'm sure you heard this in the keynote, that Lifecycle Management Workflows is now generally available, which we're really excited about. We've been working hard for a year to get to this milestone. 

We've got successful customers like Slack, Discount Tire, NTT DATA, and dozens more as part of our early adopter program. We've got happy customers. “Workflows should come with some kind of a warning—they're addictive as hell,” one customer told us. 

And lastly, Workflows is now available to everyone. It's available as part of the advanced Lifecycle Management SKU. If you've already purchased that, you can get Workflows today by talking to Okta Support or your CSM. If not, then it's available for purchase.

Arvil Nagpal: We'll now go into a quick demo of the product and a real-life scenario that I've personally been going through, where we can use and show the value of Okta Workflows.

Arvil Nagpal: Okay guys, demo time. The situation here in this demo is that I'm an owner of a little internal group here at Okta called Dad, Inc. We really just have cool dad hats. That's mainly the purpose. Kinda like this one. 

So, this is a pretty exclusive group, but from time to time we'll let some other people in. The only requirement is they need to have a 10 out of 10 rating on the Dad Scale. To be totally honest with you, though, this onboarding process is getting pretty frustrating. We have three total members right now and I can't handle the load. Every new user needs to be invited to their channel in Slack. They need access to our top secret data location. I also need to keep track of whether they've paid member dues. Dad hats aren't cheap, you know.

Arvil Nagpal: Usually, before I start a flow, I like to mock out the flow itself. What we want to mock out is the trigger for this flow, the thing that starts the flow. For this scenario, it will be this: The user is assigned to the Dad Group. We're going to validate that it is in fact the right Dad Group—we have the group ID of the correct group. We also want to vet that the individual has a Dad Rating of 10. 

Now I want to invite Jess, our new member, to the Dad, Inc. channel. I composed a quick welcome message for her, and then added a row to dues table, to make sure whether she's paid her dues or not. So, we'll come over to the Workflows console here. I've created a folder for us called Dad, Inc. Let's create the flow.

Arvil Nagpal: The first thing we're going to do is, every flow starts with an event. So, we click Add Event. We click Okta. We scroll down, and we say User Added to Group as our event. Perfect. This event has really critical information, like information on the user that was added to the group, as well as information about the group itself. 

Arvil Nagpal: We then want to make sure that we have the right group. So, functions are really critical and they surround all of the actions that we're going to do in other applications to introduce logic, introduce data manipulation, things like that. 

So, if we go to Branching, this is where our logic is. We want to use a Continue If function: This flow will only continue if this condition is true. So I'm going to take the group ID, and I want to make sure it's equal to the group that we need here. 

Arvil Nagpal: I generally like to save. We'll call this the Dad, Inc. Onboarding Flow. I want to save all data to make sure my history is captured. Let's just turn it on, so we can test as we go. 

Arvil Nagpal: Next, I need to make sure that Jess has a Dad Rating of 10. Now, as you can see on the event profile, I don't actually have that much. There are only four attributes that I get: Their ID, their username, their display name, and the type of user. So, often we have to go back into Okta to get additional information. 

That's where the Okta Read User card will come in handy. I scroll down. I click Read User. I get a list of parameters of the things that will get returned. I don't need a lot of this, so let's just delete this. Let's scroll down. Let's get their username, their first name, their last name and their Dad Rating all the way at the bottom. Cool. Then as part of this, we will go here.

Arvil Nagpal: Let's go ahead and test this card. So, we'll go Jess.Star[at]Okta.com. Test. Perfect. This gives us all the information that we require.

Arvil Nagpal: Next, I want to do another Continue If on that function. In case another user comes in, I want to make sure they also have a Dad Rating of 10. I then take their Dad Rating, from the Read User card, put it up here and make sure it’s equal to 10. Cool. Let’s save our flow. Awesome.

Let's go ahead and quickly test this flow. I'll come back to my group. Let's just add somebody just as a test. We'll add Jalen Brown. Awesome. Save. Let's make sure that it's updated, which it is. If we go back to our flow here, and I click Flow History, we see that we have a successful person. Awesome. So, we know this flow’s working so far.

Arvil Nagpal: Now, let's continue to build. So what we now want to do is we want to invite Jess to the Dad, Inc. channel. This is where the App Actions come in. You can see we have a bunch of connectors in our environment. Let's click Slack, and let's invite the user to a channel. We want to use a channel ID because we have a large number of channels in this environment. In terms of the user ID, what we require is this ID right here, which I've gathered before, and then we also need the channel ID. These are things you can get directly from Slack.

Arvil Nagpal: Next, we want to compose a welcome message. So, I click Function. You can use this Compose card to create a nice message. Let's just say, first name, which is Jess, "You've been admitted to the best employee resource group this galaxy has ever seen. I hope you are proud of this accomplishment. Please pay your dues. I am poor. Chief Data Officer, Arvil." Perfect. Let's save.

Arvil Nagpal: And then finally, we want to do our last App Action, which is sending a message to the channel. Let's use Channel ID again, which puts it into the bot. We want to send this composed message. Send this from Dad Bot. And then, again, the channel ID is the following. Let's save again. Save flow. 

Arvil Nagpal: Now, the last thing we want to do is add a row to the table. I've gone and created a quick table. Table is basically a lightweight way where you can store information. This is a table that will store their name and their dues-paid status. So, let's go to the functions.

You have the ability to automatically add rows to tables. I click Tables, and I click, Create Row. I can choose the table, which is Dad Dues. 

I then want to drag their first name into the table, and then their due pay status is “Def Not Paid.” Exclamation mark. Let's save again. 

Arvil Nagpal: So, we have our flow end-to-end now: We have the trigger. We have some conditional logic, to make sure we've got the right group. We've got the right user, they make sure they have the Dad Rating of 10. I invite the user to a channel. I send a message to that channel. And then I create a row in a table. 

Let's go ahead and test. Hopefully this will work. Here's our Dad Group. Let's click Manage People. Let's click Jess. Let's click Add. Let's click Save. Adding one user to the group in progress. Let's make sure that this fires. Awesome. Let's come back here. Let's scroll over. Let's go to flow History. User not found. Hmm.

Arvil Nagpal: Okay, so this is interesting. I've got an error, and the user ID was not found, for some reason. “HTTP requests 400 user not found.” Okay, interesting. So, something happened with my user ID. 

Let’s go back to our flow. Let's test it. Let's test this with another, let’s make sure I have the right, ah I may have this space. That's what's going on. Let's go ahead and test this again. So, I actually have to remove Jess from this group. Let's click Save. “Removing one user from group in process.” Let's go ahead and re-enter to re-trigger it. Let's just make sure that I saved this. Yep, I did. Save. Some progress. I come into Flow History. Okay. Now it's successful.

Arvil Nagpal: Let's go through the flow history. So, all these green checks demonstrate that certain parts of the flow were successful. She's got a data rating of 10. We invited the user to a channel. We sent a message to the channel, and now let's double check that everything is correct. 

Let's go up to my users, Dad, Inc. Sweet. “Jess, you've been admitted to the best employee research group this galaxy has ever seen. I hope you are proud of this accomplishment. Please pay your dues.” 

Let's go back to our table and refresh, and see if this all worked out. Awesome. It updated. Perfect. 

Well, that was just a quick demo. Hope you guys enjoyed that.

Arvil Nagpal: Back over to the rest of the presentation. Thanks.

Arvil Nagpal: Great. Well hopefully you guys enjoyed that demo from my hat-wearing alter ego. We're now going to talk a little bit about the use cases that we're focusing on for this year. We are being very targeted with what we're addressing in terms of Lifecycle Management use cases for this year. This is a flexible, generic and powerful platform, so it's important that we focus. 

We're going to be talking about these in more detail a little bit later in the presentation, but the five use cases that we're focusing on are: 

  • advanced provisioning and deprovisioning—so, creating, updating, and deactivating users and third-party systems,
  • resolving identity creation conflicts and creating GUIDS,
  • improving visibility and sharing lifecycle data,
  • notifications; and finally, 
  • using time as a way to influence policies to manage identity lifecycles.

I'm now going to hand it over to the Discount Tire guys. Brent will be talking about how Discount Tire has seen value from implementing Workflows for three of these five use cases. Take it away, Brent. 

Brent Wiley: All right. Thank you, Arvil. I just want to introduce myself. I am Brent Wiley, a system engineer/IAM team lead for Discount Tire. For those of you who don't know us, we are America's largest independent tire and wheel retailer. We were founded in 1960 in Ann Arbor, Michigan, by Mr. Bruce T. Holley. He left us with a few operating philosophies and some life lessons before he passed away a couple years ago, and they are still important to us. 

Our operating philosophies are the ones that you see on the top row here, especially about our customers, and this is our baseline philosophy for our stores. Every day we must earn the right to call you our customer. So, this is embedded in our management and in our stores. Then, we have our life lessons here on the bottom row: Honesty. Work hard. Have fun. Be grateful. Pay it forward. Again, these are things that our management and stores live by.

Brent Wiley: We are in 1,000-plus locations across 35 states. We have about 24,000 users, employees, and contractors between the stores and our regional and corporate offices. For those of you who may live in California, we go by America's Tire and Parts in California, and for anybody who’s in those gray areas up in New York and elsewhere, we also go by Discount Tire Direct in the markets where we don't have retail stores. That's the background on the company itself.

Brent Wiley: For our team specifically, we report into our security team and directly to our CISO.

Brent Wiley: Specifically around our objectives, our user experience, we provide single sign-on, self-service password reset, things that will improve the user experience for our employees. We also strive to improve our operational efficiency. For that, we want to automate wherever possible—try and eliminate some of those manual steps that end up causing strife in our processes. And then, we want to increase our security posture. That's where we want multi-factor authentication, adaptive MFA, and using products like Okta ThreatInsight.

Brent Wiley: The focus for our team specifically—we want to be the owners of identity. We want a single view instead of having to find our users in multiple disparate systems. We want to deliver new capabilities. We want SAML, we want OAuth, we want integrations with mobile applications. 

We have a brand-new tire tread reader at stores that's on an Android device that we want to be able to integrate with using OAuth. We want to be able to have rules for applications: when to put somebody into an application, when to give them a certain role inside of that application, when to remove them from an application. And then, we want MFA for security process.

Brent Wiley: Background on our environment: We have Workday as a Master. So, we're pushing and pulling users from Workday into Okta. Then, inside of Okta we're provisioning down into our Active Directory on-premises systems. 

We also have a separate Active Directory forest that is for what we call retail. Those are for our tire technicians, our managers at the stores. They want to be able to get in and out of systems quickly, so they have a different password policy. It doesn't require MFA and gets them in and out of our applications as quickly as possible because they're helping customers. They don't want to have to put in a 16-digit-long password.

Brent Wiley: We had a historical need after we set this process up in 2017. We found some things that we needed to enhance as we pushed through. Some of those would be: moving OUs (organizational units) in Active Directory; deleting old accounts in Active Directory and Okta; processing permissions for people who go on leave; and when they return from leave, getting all those permissions set when they come back.

Brent Wiley: We defaulted as Active Directory folks to just using PowerShell scripts, and that worked for a little while. The issues we had with that are: there was custom code that had to be maintained and updated. There were scheduling conflicts with other scripts. There were delays in synchronizing that information back up to Okta. As a result, we had a patchwork of on-premises PowerShell scripts that acted on both AD and in Okta via API calls. 

Our management wanted to avoid any new custom PowerShell code, and to keep lifecycle events in Okta. We identified Workflows as part of an early adoption program with Okta and we wanted to see what that might do for us. We found it fit our desire to avoid the custom code. It eliminated the time delays coming back to Okta, and that Okta-AD synchronization that occurs on a time schedule. And, it allowed real-time events with triggers instead of the passive batch approaches that we had with PowerShell.

Brent Wiley: We identified a few pain points that Workflows could help us with and some of these are listed on the screen here. As you may remember, we previously couldn't delete users in Okta, and then whenever we did get the permission to delete users in Okta, we didn't have any good automated way to do it. We were going to put that in with a PowerShell script and then when we found Workflows, we stopped and moved to Workflows.

Brent Wiley: We had group rules. Best practices for Okta are to have an Everyone group, but then not have that Everyone group assigned to applications. So, you want to assign a company-specific Everyone group. As a rule, all new users go into that new group. The problem is, if we assign that group to an application, then we have an issue where, depending on when the account was created, did it evaluate the Everyone rule or did it evaluate the Company rule first? We had some issues with when the rules ran and what order they ran in.

Brent Wiley: We also had an issue with a new requirement from one of our business teams where they needed to keep access for employees after they left the company for a period of, you know, X number of days. We needed to come up with a process that removed all access for the user except for this one application. What we found is that PowerShell scripts would run, they were delayed, they would run out of order, and it ended up causing some partial evaluations of those accounts and left them in a flux state in both Okta and in Active Directory.

Brent Wiley: And then finally, we had some issues with data fidelity where our Workday integration with Okta had a blip and caused some of our non-prod environments to lose data. What we wanted to do was have a way to back up that data—have it available if there was another issue in the future. 

So, without further ado, I will send it over to our resident Wizard of Workflows, Benny Reddy.

Benarjeey Reddy: Hello everyone. I’m Benarjeey Reddy and I go by Benny. I'm with Discount Tire, working as an identity access management technical analyst, and I'm here to present the list of instruments that we got and achieved through the Workflows console, which is powered by Okta and which is a wonderful automation tool with zero coding.

As Brent mentioned, we have a couple of use cases that we considered pain points, and with the Workflows console we addressed those issues very quickly, in an efficient, timely manner. 

The first pain point is, since Discount Tire is a retail company, we have a lot of onboarding and offboarding processes that happen within our enterprise system. We have nearly 35,000 accounts in the active state, and we wanted to clean up these accounts in an efficient way. As we got to know the Workflows console, we thought this would be the best solution to delete deactivated accounts in few minutes.

Benarjeey Reddy: I used different workflow function cards, where it's fetching users and doing some computation and applying filters. Finally, we send an API action to delete the users from Okta tenant by using the Workflows console. By doing it this way, within a short time of a week or so, we were able to delete 28,000 accounts which is a great achievement for our team in terms of maintaining retention policies for the Discount Tire enterprise.

Benarjeey Reddy: Coming to the second point, we have group rules which are not running in sequence. Initially, since Okta keeps updating their system, the group sequence we initially configured was not in sync, just because the priority of the sequence got changed to alphabetical order. We thought of doing it by PowerShell, but again, it's a maintenance effort and timing overlap with the PowerShell scripts, so we thought of using Workflows console.

Benarjeey Reddy: We implemented Workflows in a way that the group rules would be triggered in a sequential order with the wait time of 20 seconds. For that, we use the scheduler which runs from 5 AM to 5 PM every day, which deactivates the group rule and waits for a certain period of time before it activates the rule. 

By having this flow, we were able to see good results, where the users are not being stuck in any kind of grace condition and are being provisioned to the started applications downstream in efficient way.

Benarjeey Reddy: As Brent mentioned, we have a new business requirement that employees should have access to a certain application for a period of time, and contractors should be terminated right away with no access to any other applications connected to the identity platform. The logic lay within PowerShell, but PowerShell was tough to maintain, and the efficiency and the timing issues caused discrepancies. The problem was, we could not run the scripts hourly. We just wanted to automate the process to run in real time.

Benarjeey Reddy: With the introduction of Workflows, we were able to read all the events from the Okta tenants and make some updates on the user. Whenever a user is suspended, we're going to do some computation. As per our requirement, we're going to deactivate the account—send a deactivation action to Okta saying if the user is a contractor, deactivate, and if the user is an employee, just unsuspend and leave the user in an active state with an application which they should have access to for at least a period of time. 

This was a big achievement in terms of our LCM process that we were doing with PowerShell. Since doing this Workflows console, we were able to get rid of PowerShell and minimize the custom code that we have in this contact platform.

Benarjeey Reddy: The final pain point is about data fidelity and back-up. In terms of data fidelity, we never had any way that we could take a snapshot of Okta user data and implement any feature flags or any integrations that we do as part of IMT. So recently, we found out that the Workflows console also provides tables, which is a great mechanism where we can write data into the tables and see what events got captured and identify what changes were being applied before and after deployment. 

In terms of any feature flag that would enable, or any import that runs between, we have multiple systems running imports, talking to Okta. If any system arrives or overrides any data, we can easily identify it by using Workflow tables. 

As I mentioned, we’re going to fetch the events from Okta system lots and we're going to write data into a table. Workflow provides 100K rows, which is an excellent feature, and we’re able to easily parse the tables, based on a certain period of time or based on the availability of data for our lookup.

Benarjeey Reddy: Currently we have two in our production system and two in our non-pro systems where we are targeting to deploy by end of April. On the flight, we do have a couple of use cases, like the administrator should be notified when an application got activated or deactivated, or any kind of identity provider configuration got updated. We have to know, we have to be notified. 

Whenever we support access to Okta support technicians, we will be notified from which tenant and who enabled and what is the time frame that was enabled for the support technicians. All the flows that I'm working so far, I've done with the coordination and engagement of the entire Workflows team. They provided great support and help to me throughout the deployment and throughout the development activities. I'm happy that we were able to automate things quickly and efficiently, and that we were able to get rid of custom coding.

Benarjeey Reddy: Thanks for the opportunity, and I'm going to hand it over to Arvil Nagpal.

Arvil Nagpal: Thanks Benny. We bring customers in to help you understand how they use this product, and to identify real-life use cases and pain points. So, I hope that was helpful.

Arvil Nagpal: We're now going to be deep diving. I mentioned a few of the Workflows use cases up front. We're now going to go through each one and we're going to talk about example flows for how one could implement Workflows for advanced provisioning and deprovisioning. So, I want to not just create users, but ensure they have the right groups, licenses, and access levels, for example.

Arvil Nagpal: When we think about thoroughly provisioning, frequently we'll create an account in Salesforce with some attributes. But now with Workflows, we can go much deeper. We can assign licenses. We can look up their team in Okta and then assign them a territory. 

When it comes to deprovisioning, this is really around, depending on the application, how do we deprovision in a way that's non-destructive? So, for example, with something like Box or G Suite, we might suspend the user and then look up their manager, transfer their folders to their manager, and then finally delete the user. So, it's about using Workflows to improve the degree to which you're customizing these onboarding and offboarding flows according to your business process.

Arvil Nagpal: Second—a key thing within every organization we talk about is when there's a new user, the onboarding process involves two things. The first is making sure they have a unique identity and unique identifiers. 

The first use case involves resolving conflicts around those unique identities. So, for example, John Smith might come in and that username has already been taken: John.Smith[at]Okta.com, for example. 

Now, using the Import Inline hook in a scheduled import from something like Workday with our existing HR integrations, you can be notified of that conflict and build resolution logic in Workflows, like adding a one (1) to the end of their username or adding a middle initial. Then, after running that logic, the user will be successfully imported. So, it's a way to automate conflict use cases.

Arvil Nagpal: The second onboarding issue is around GUIDs. For example, at Okta we have employee IDs. Now you can build that GUID logic directly in Workflows, specifying the degree to which you want numbers versus strings, the length of that identifier. And then making sure after that flow runs that the user profile is updated in Okta directly.

Arvil Nagpal: The third use case we're going to be talking about is around improving visibility and sharing data. Okta is a sensitive system. It has a lot of implications as to what happens to different users. We want to make it easier for you to be able to consolidate and share data based on lifecycle events.

Arvil Nagpal: Today, we get a lot of customer requests where they try to hack together basic reports like, “What members are part of this group?” They’re utilizing custom code to color APIs … I've heard of customers literally copying and pasting things from the UI itself, which pains me as a product manager. Those reports are mainly formatted and emailed around to different people.

We think we can do way better. With Okta Workflows, whether that is an event-based trigger or a periodic poll of our API using the optic connector, you can run logic like, “Get me all the users in this group.” Or, “Every time a user is suspended, I would like to store them in a table.” 

Then, with both our CSV export functionality as well as our integrations to Google Sheets Excel Online, that data can be automatically emailed and exported to whomever needs access to that data, whether it's other IT administrators or your business partners.

Arvil Nagpal: The fourth use case is around notifications. People need to be notified when things happen in Okta. It happens all the time. Two examples that we hear about are around notifying end users and notifying other administrators.

For example, when a user is assigned to the app in Okta, many admins want to notify that user that they've been given access, and then potentially send an email with Office 365 to their manager. 

Separately, many things happen in Okta. API tokens are created—those are pretty sensitive. Maybe you want to notify other administrators when that occurs. In this flow on the bottom, you can email an admin distribution list, as well as the Head of IT anytime an API token is created.

Arvil Nagpal: Finally, the last case is using time to our advantage to modulate who has access to what. For example, when terminating an employee, often a company will want that employee to retain some access. So, for example, you can move them to a separate group that is specific to terminated employees, where they only have access to one or two applications. Then, on a scheduled basis (a year later) you can turn off all their access. You can set that policy up front, and it'll be fully automated.

Arvil Nagpal: Secondly, you can create time-bound access. We hear about this with contractors a lot. “Hey, I want to create this contractor, but 90 days later I want to automatically suspend them because I want to maintain a strong security posture and I've got a rogue account issue.” You can now do all that with Workflows.

Arvil Nagpal: And finally, a common use case is around suspending inactive users. Sometimes people don't log in to the product. Let's say, after 30 days of them not logging in, you'd like to send them an email warning and then a week after that you actually want to deactivate them.

Arvil Nagpal: So those are three separate use cases where you can use our functions related to time and dates to your advantage in making sure that people only have access to what they need. 

There are other use cases, and honestly, we're just not quite there yet. These are four that come up time and time again. Human workflows, so those access requests and approvals. HR as a Master: We can extend HR as a Master functionality as our existing integrations work, but we don't quite have HR integrations yet, and we aren’t able to support complex password delivery flows. 

Arvil Nagpal: With customer identity, we're not quite there yet with a dedicated SKU, and we're not supporting any customer identity use cases, but that will definitely be coming this year. 

Finally, around security orchestration automation and response. When something that's more security-oriented happens in Okta and you'd like to notify, that's totally fine. But we don't quite have the deep integration yet with these security orchestration and response systems. 

I think all of these are coming in short order in the next year, or so. We're actively working towards expanding the use cases that we're serving today.

Arvil Nagpal: On the roadmap this year we're working on three big areas. We want to deepen our connector catalog and make sure that we have the best identity-focused set of connectors that exists in the industry. We want to provide tooling to help you manage flows at scale. 

Community is critical for us. We want builders to be able to discover and share both flows as well as connectors. 

In terms of next steps: Get Workflows. That's our best advice. We'd love your feedback in trying out the product. If you've already got the advanced Lifecycle Management SKU, talk to your CSM or reach out to Support to get access. If you don't have the SKU yet, talk to your rep. You can check out our tutorials at [email protected], and then definitely feel free to email us with any questions at [email protected]

Arvil Nagpal: Finally, I want to recommend a few Roadmap sessions. My boss, David Shackelford, will be giving a session on 1:00 on Wednesday where he'll be talking about roadmap related to Workflows itself. George Kwon will be doing a roadmap presentation for Lifecycle Management as a whole, of which Workflows is a component, Thursday at 11am. Finally, since much of what we do is integrated with other systems. I'd recommend listening to the roadmap session related to the Okta integration network on Thursday at 2:00.

Arvil Nagpal: Thank you so much for listening, and I appreciate your time.