OktaOverview
You can grant users access to applications directly or through groups. The latter is preferred because it greatly simplifies access management.
Remediation guidance
Go to the Groups page, under the Directory section, in the Okta Admin Dashboard, select or create the group, and on the Applications tab, press Assign applications. Now, you can remove the individual user assignment. We recommend following the assignment conversion process described in the Okta documentation.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Application assignments are configured through groups
Connectors
Covered asset types
Expected check: eq []
users(where: { applicationsConnection_SOME: {edge: {scope_NOT: "GROUP"}}}) {...AssetFragment}
