Realms: A new, flexible way to manage your organization 

Okta’s vision for Universal Directory includes providing a centralized approach to Identity management that allows customers to integrate any technology stack into a comprehensive, central cloud directory for unified management. In today’s world, unified Identity management is increasingly challenging.

Relying on a workforce composed of employees, contractors, seasonal workers, and business partners, organizations adopt complex business structures with mergers and acquisitions, subsidiaries, regions, divisions, and/or business units.

To provide flexibility in modeling identities, Okta is introducing Realms to enable customers to leverage Universal Directory as a central management plane for unique use cases. Realms is a new directory construct that lets customers segment user populations in a single org based on their unique needs. Along with deployment models like hub-and-spoke, Realms offers customers more options for architecting their organizations. Realms is now Generally Available via Okta Identity Governance and Secure Partner Access.

Why unified Identity is so challenging

IT teams often struggle to manage global and heterogeneous users, which are sourced in various ways. This complexity can lead to fragmented technology environments, difficulty implementing least-privileged access, and slowed workforce productivity that ultimately hinders business growth.

To address these challenges, organizations currently turn to architectures like hub-and-spoke to segment and delegate management of mutually exclusive user populations. While a hub-and-spoke architecture offers an effective way to carve out user populations, especially to meet regional compliance needs, it can also significantly increase overhead for administrators looking to manage distinct user populations. Organizations and IT teams need a centralized way to manage all identities and gain visibility into who has access to what applications in a holistic manner.

How Realms can help

Realms introduces strict segmentation of populations within an org, providing a streamlined and secure experience for admins who: 

  • Manage dynamic organizations with distinct user populations (e.g., business units, acquisitions, subsidiaries, divisions)
  • Want to delegate administration of distinct user populations to local help desk admins
  • Want to increase IT efficiency and reduce the number of user management tickets coming to central IT teams. 

Model unique distinct populations within a single org 

Using Realms, admins can segment users into mutually exclusive populations within a single org. This provides strict boundaries between segments of users to safeguard user data and securely delegate management of subsets of the workforce without duplicating users or policies in distinct orgs.

Automate realm designation for simplified user onboarding 

With new Realm Assignments, new users can automatically be added to the correct realm without any admin intervention. This increases user onboarding agility by automating the process, which is especially important for large organizations where users originate from HR sources, IDPs, and other directories.

Delegate user management

By leveraging the Custom Admin Role Framework, flexible “Realm Admins” roles can be created to handle tasks like password resets, user creation, and application or group assignment within the scope of a realm’s user population. This allows IT teams to scale effectively and reduces the administrative burden on central IT admin teams. Central IT teams are empowered to delegate daily help desk tasks to local admins for a specific subset of the user population while minimizing what the admin has access to and preventing over-privileged admins. 

Automate realm management 

Workflows allow admins to create, read, update, and delete realms automatically, alongside automating user creation and movement between realms. Workflows provide a way to automate and facilitate repetitive actions, freeing up IT teams and eliminating manual tasks.

Centralize governance for the entire workforce  

Using Expression Language, Access Certification campaigns and entitlement policies can be scoped to users in single or multiple realms. This allows governance to be applied across multiple user populations within a single org, whereas customers leveraging multiple orgs to achieve delegated administration can’t holistically run campaigns across their entire organization, leading to a piecemeal approach to governance.

Improve your approach to org management

Business owners can leverage Realms to accelerate growth and business outcomes by implementing efficient Identity management and robust security within a single org.

Flexible deployment models

Users have the flexibility to choose how to architect an org: by leveraging realms, multiple orgs, or both. Companies with logical user segmentations and siloed or outsourced IT teams need to give admins access to the Admin Console to take key actions.

However, even with the flexibility of Custom Admin Roles, the scope of access is often too high for these admins. This can push IT teams to turn to multi-org deployments for segmenting user populations.

Realms introduces architectural flexibility to modeling these segments. This allows organizations to delegate user-management-related tasks while the central IT team maintains a single location to manage policies, applications, and governance of the full user population.

Centralized governance 

Governance is applied at an org level, resulting in a fragmented governance structure for customers with multiple orgs. By leveraging Realms, a top-level organization admin can pull all users into a hub org with distinct segments.

They can then run campaigns across the entire user population (or a segment of the population) while delegating remediation actions to designated “Realm Admins.” Global IT admins can view the full results of a campaign across the entire org without having to reconcile results across fragmented orgs or campaigns manually.

Accelerated M&A agility

Top-level organizations can use Realms to efficiently onboard users to critical applications while the IT integration strategy and organizational structure are established. Users can be segmented into their own realms, and admins can be delegated to the acquired company admins without giving them access to the entire org and Admin Console. IT admins for the top-level org benefit from an easy and secure way to onboard users and maintain visibility across all application assignments, while still delegating management.

Optimize IT operations 

Businesses can streamline global IT admin tasks by empowering global IT admins to focus on strategy and infrastructure while delegating daily user-management-related actions to local help desk admins. This allows organizations to delegate management without compromising visibility or creating siloes. Complex organizations can eliminate user Identity fragmentation and consolidate distinct user populations into a single unified view without creating a burden on global IT teams.

Before and after

Complex organizations have been structured in a few different ways:
 

  1. Multiple distinct orgs aren’t connected.
  2. Multiple orgs are connected via Org2Org, often in a hub-and-spoke model.
  3. A single org where populations are organized in non-distinct groups.

Multiple orgs

Right now, an organization may be set up with employees from different business units or divisions existing in separate orgs. Okta admins have to manage users and app assignments separately for each org. Additionally, users are governed at the org level, and governance cannot span separate orgs.
 

Two separate orgs, unable to connect without Realms

 

With Realms, distinct user populations can exist in mutually exclusive segments within a single org. Realm admins can then manage users within their realms without overprivileging them. Governance campaigns can be scoped to a single realm or extend over multiple realms.

 

The same two orgs united with Realms

 

Hub-and-spoke model

Alternatively, an organization can be set up in a hub-and-spoke model where partners, subsidiaries, or acquisitions exist in spoke orgs. Many or all users may be duplicated into the spoke org for shared application access.  

 

Hub-and-spoke model with three spokes

 

With Realms, the distinct user populations in the hub org can first be split into realms to segment out the mutually exclusive populations from each spoke org. That way, the users can still share application access and policies, but from an administrative perspective, user populations can remain separated.

 

Hub-and-spoke model with three units in a hub and three spokes

Ultimately, that can enable the long-term strategy by making it easy for spoke orgs to be collapsed into the hub org to minimize duplication of users and overhead across orgs.
 

Hub-and-spoke model streamlined with Realms

 

Getting started with Realms 

Realms is Generally Available as a part of Okta Identity Governance and Secure Partner Access. Check out the product documentation and enable Realms in your org to get started.

Additionally, Realms ties into and leverages many parts of the Okta product offerings. Check out our documentation for the following: