Skip to content

Dynamic Groups

Dynamic Groups

Dynamic Groups creates and maintains Okta groups based on user profile attribute values (for example, department or location). Use it to build IdP groups at scale, then assign those groups to your existing Scimify SCIM apps for downstream provisioning.

This integration manages groups in Okta via the Okta Management API. It does not require a SCIM app in Okta for Dynamic Groups itself.

Overview

  • Scimify reads active Okta users and their profile attributes on an hourly schedule
  • For each configured attribute rule, Scimify creates one group per unique attribute value
  • Users are added to the matching group (for example department_engineering for department Engineering)
  • Created groups can be assigned to Veraproof Scimify SCIM apps in Okta for normal group push to Slack, GitHub, and other integrations

Prerequisites

  • Okta administrator access (to create API tokens and custom admin roles)
  • Scimify tenant with Admin access
  • User profile attributes populated in Okta for the fields you want to group on

Create a least-privilege Okta API token

Avoid Super Admin. Use a dedicated service account with a custom admin role that grants only:

PermissionWhy needed
okta.users.readList active users and read profile attributes
okta.schemas.readAttribute discovery in the Scimify UI
okta.groups.readResolve existing groups and read memberships
okta.groups.manageCreate/delete groups; add/remove members

Do not grant: user create/update/delete, application assignment, or unrelated admin scopes.

Steps:

  1. Create a service user in Okta (or use a dedicated admin account).
  2. Create a custom admin role with the permissions above.
  3. Assign the role to the service user.
  4. Sign in as that user and create an API token.
  5. Store the token securely; rotate periodically. Never share it in support tickets.

Configure Dynamic Groups in Scimify

  1. Open Integrations in the Scimify admin console.
  2. Create a Dynamic Groups instance.
  3. Enter:
    • Okta domain — e.g. company.okta.com
    • Okta API token — the SSWS token from the step above
  4. Configure policies:
    • Group name normalization — underscores or hyphens in generated group names
    • Empty groups — keep or delete when a group has no members
    • Membership policy — how manual Okta membership changes are handled (see below)
    • Group name collision policy — adopt or skip when a group name already exists in Okta
  5. Add attribute rules (attribute path, name prefix, optional description).
  6. Click Assess on each rule to preview how many groups will be created before enabling sync.
  7. Save and Enable the instance.

Membership policies

PolicyBehavior
Respect manual changes (full)Manual adds/removes in Okta are kept; Scimify only adds missing members and removes users when their attribute value changes
Respect manual changes (partial)Manual adds are kept; users manually removed from the correct group are re-added on sync
Enforce Dynamic GroupsScimify reconciles membership every sync to match current attribute values

Group name collisions

PolicyBehavior
Skip existing groupsIf Okta already has a group with the computed name, Scimify does not manage it
Adopt existing groupsScimify links to the existing group and manages membership

Discover attributes

Use Discover attributes in the integration config to list Okta user profile fields. Common paths:

  • profile.department
  • profile.costCenter
  • profile.title

See the Okta User Schema API.

Assess attribute rules

Before saving, use Assess on each rule to see:

  • Total number of groups that would be created
  • Sample group names and member counts
  • Collision status (new / adopt / skip / already managed)

Prefer low-cardinality attributes (department, location, cost center). Avoid high-cardinality fields (title, manager name) unless intentional.

How sync works

  • Sync runs every hour automatically (not configurable)
  • You can also run Sync now from the integration config
  • First sync creates groups and adds members; later syncs apply membership policy and attribute changes
  • The sync status line shows last sync time, status, and counts of managed groups and licensed users

View managed groups

After at least one sync, click Show groups in the integration config to list every Okta group managed by this Dynamic Groups instance. The list includes:

  • Group name — the normalized name Scimify uses in Okta
  • Member count — current members in the group
  • Adopted — whether Scimify linked to an existing Okta group instead of creating a new one
  • Attribute value — the raw profile value that produced the group (when applicable)

This view reflects groups tracked in Scimify’s sync state, not a live query of every group in your Okta org. Use it to verify which groups Dynamic Groups is managing after configuration changes or a sync.

Use Show stale groups to list managed groups that currently have zero members (useful when your empty-group policy is set to Keep empty groups).

Removing an attribute rule

When you remove an attribute rule and Save the integration configuration:

  • Scimify stops managing groups that were created for that rule
  • Scimify removes those groups from its database (managed-group list, user state, and licensing counts)
  • Scimify does not delete the corresponding groups in Okta

The Okta groups remain in your org with their current memberships. Scimify will no longer add or remove members for them, and they will no longer appear in Show groups or count toward Dynamic Groups licensing.

You are responsible for cleaning up Okta. If you no longer need those groups, delete them manually in the Okta Admin Console or via the Okta Groups API. Review group assignments to Scimify SCIM apps and other integrations before deleting.

If you remove a rule by mistake, add it back with the same attribute path and name prefix, then run Sync now. Scimify can recreate or re-adopt groups depending on your collision policy, but previously removed Okta groups must still exist (or be recreated) for adoption to succeed.

Using groups with other Scimify integrations

  1. In Okta, assign the dynamic groups to your Veraproof Scimify SCIM applications.
  2. Configure Okta SCIM group push as you would for any other app group.

Licensing

Users who are members of at least one actively managed Dynamic Group count toward your Scimify license. Groups tied to a removed attribute rule are excluded from licensing as soon as you save the configuration. The same user in Dynamic Groups and another Scimify integration is counted once.

Troubleshooting

IssueSuggestions
Test connection failsVerify domain, token, and custom role permissions
Groups not createdCheck Assess output; verify attribute path and that users have values
Unexpected group listUse Show groups to confirm which groups Scimify is managing; compare with Okta
Removed attribute rule but groups remain in OktaExpected — Scimify does not delete Okta groups; remove them in Okta Admin if no longer needed
Name collision / skipped groupsRename the existing Okta group or switch collision policy to Adopt
Too many groupsUse a lower-cardinality attribute; review Assess before enabling
Rate limitingLarge orgs may take longer; sync retries on the next hourly run

Okta API reference

Need help?

Contact Veraproof support if you need assistance with Dynamic Groups setup.