Dynamic approvers
Resolve the appropriate approver from an Okta user or group instead of embedding a fixed email address in every workflow.
Turn Okta users and groups into runtime routing context for AI agents and workflows.
Roster connects to your Okta organization to resolve who should approve, own, review, receive, or handle work. Use current Okta users and groups as the organizational foundation for participant resolution—without hard-coding names into prompts, workflows, or application logic.
Last verified 07/13/2026
Okta provides the users, groups, profiles, and membership data your organization already maintains.
But an agent or workflow rarely asks only:
“Which users belong to this group?”
It asks:
“Who should approve this request?”
“Who owns this customer escalation?”
“Who is responsible for the security review?”
“Who should act while the normal owner is unavailable?”
Roster turns selected Okta users and groups into participants with project, role, metadata, and delegation context—then exposes that context to AI agents, automation systems, CI pipelines, and internal applications.
Roster's native Okta connector reads users, groups, and direct group membership through the Okta Core API.
When an administrator searches for an Okta user or group from Roster, the connector queries Okta live.
After the administrator associates a selected record with a Roster participant, Roster materializes that record for participant resolution. For a selected group, Roster also stores the direct membership relationships needed to resolve its members.
Roster does not full-sync every user, group, and membership in your Okta organization. Its worker refreshes the selected records and membership relationships used by Roster on a configured schedule.
Resolve the appropriate approver from an Okta user or group instead of embedding a fixed email address in every workflow.
Map an Okta group to a Roster participant such as Vendor Security Reviewer, Regional Finance Owner, or Production Release Approver.
Apply time-bound Roster delegations when the normal participant is unavailable.
Resolve the user or group responsible for a particular project, customer, region, process, or risk level.
Give AI agents a reliable way to select the right person or team when a workflow requires human judgment.
An Okta group identifies a set of users. A Roster participant describes the business responsibility those users can fulfil.
The same Okta group can support different workflow responsibilities in different Roster projects without changing the source directory.
Roster participants can also carry business metadata such as: Region, Department, Approval threshold, Review type, Product, Customer segment, Escalation level.
That gives the resolver more context than a directory lookup alone.
Once Okta records have been associated with Roster participants, the same organizational context is available across Roster's integration surfaces.
Let Claude, ChatGPT, Codex, or another compatible MCP client ask open-ended routing questions.
Add participant resolution to internal applications, automation platforms, and custom agent runtimes.
Resolve ownership or sign-off requirements from the terminal or a CI pipeline.
Let administrators and project owners browse Okta records, create participants, manage memberships, configure delegations, and review resolution activity.
| Okta data | Used by Roster | Materialized in Roster |
|---|---|---|
| Stable user ID | Yes | For selected users and group members |
| User login | Yes | For selected records |
| User email | Yes | For selected records |
| Display name | Yes | For selected records |
| Stable group ID | Yes | For selected groups |
| Group name | Yes | For selected groups |
| Group email, when present | Yes | For selected groups |
| Direct group members | Yes | For selected groups |
| Passwords and authenticators | No | No |
| Applications and entitlements | No | No |
Roster normalizes the selected provider records into its own directory-user and directory-group representation while retaining their Okta source identifiers.
The connector currently uses these Okta Core API resource paths:
/api/v1/users
/api/v1/groups
/api/v1/groups/{id}/usersRoster's current connector is designed to read the user, group, and membership information needed for participant resolution. It does not use the connector to administer Okta users or groups.
Roster uses two deliberate data-access modes.
An administrator can search Okta live while selecting users or groups from the Roster participant picker. This makes it possible to find records that have not previously been added to Roster.
After a record has been selected, Roster stores the directory representation required for participant resolution. REST and MCP directory searches use this materialized Roster data rather than calling Okta live during every agent or workflow request. This provides a consistent runtime dataset across Roster's API, MCP, CLI, and platform surfaces.
To configure the Okta directory connector, you need:
The current connector uses SSWS API-token authentication with the Okta Core API.
Use the least-privilege Okta administrator role that allows the connector to read the required users, groups, and membership information. Apply appropriate token ownership, rotation, expiration, and revocation controls.
Example secret reference:
env:OKTA_API_TOKENKeep the token outside application code and source control.
Roster supports two separate Okta integration paths.
Provides users, groups, and group membership for participant resolution.
Lets human team members sign in to the Roster platform through Okta using OIDC—or through an independently configured SAML application.
These integrations can be used independently or together. Configuring Okta login does not automatically make Okta directory records available to the resolver. Likewise, configuring the directory connector does not automatically enable Okta login.
Roster refreshes the users, groups, and direct group memberships selected for participant resolution rather than importing the entire Okta directory.
The Okta API token can remain in the deployment environment or secret manager and be referenced by the Roster connector.
Roster's worker updates selected directory records and cached membership relationships according to the configured refresh schedule.
Materialized records retain their provider-specific source information and stable Okta identifiers.
Agents, service accounts, and applications still require appropriate Roster credentials, scopes, and project access before they can read or resolve participant data.
An automation receives a vendor-renewal request for the Atlas project. The workflow knows: the project, the vendor region, the contract value, the action that requires approval. It does not contain a fixed approver email.
Instead, it asks Roster:
“Who should approve the Atlas vendor renewal for Europe at this amount?”
Roster evaluates:
The workflow receives the active participant and continues with its existing approval-delivery mechanism. Roster resolves who should receive the request. Your workflow engine remains responsible for sending, collecting, and enforcing the approval.