How does the mapping groups with Vault-auth-Okta


Version: HashiCorp [Vault 1.10.5]

We have Vault with auth Okta, and have a case where a user is in 2 groups in Okta, it’s meaning 2 groups in Vault with different policies:

Group Okta-Vault department: “department-rw,nono-rw,tech”
Group Okta-Vault team: “shipdflow-rw,team-rw,shipfoundations-rw,nono-rw,tech”

The user only takes the policies of the team, so my question is how does the mapping between the user’s groups Okta and groups of Vault (with policies)?
Can the user have more than one group?

Key              Value                                                                                                
accessor         xxxxxxxx                                                                             
creation_time    1693491824                                                                                           
creation_ttl     2764800                                                                                              
display_name     okta-xxxx                                                                                         
entity_id        xxxxxxxx                                                             
expire_time      2023-10-02T14:23:44.956674348Z                                                                       
explicit_max_ttl 0                                                                                                    
id               xxxx     
issue_time       2023-08-31T14:23:44.956683767Z                                                                       
meta             {"policies":"list,shipdflow-rw,team-rw,shipfoundations-rw,nono-rw","username":"xxx"}
num_uses         0                                                                                                    
orphan           true                                                                                                 
path             auth/okta/login/xxx                                                                              
policies         ["default","list","shipdflow-rw","team-rw","shipfoundations-rw","nono-rw"]              
renewable        true                                                                                                 
ttl              1484601                                                                                              
type             service  
1 Like