[BETA] Okta Identity Governance API
Okta Identity Governance is a SaaS-delivered, converged and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.
Okta Identity Governance builds upon the existing Okta Life Cycle Management products, such as Provisioning and Workflows, which help enterprises simplify access fulfillment and entitlement tasks throughout a user’s identity lifecycle.
Domain model
Nouns
RESOURCE RESOURCE-PROVIDER CAMPAIGNS REVIEWS REQUEST-CONDITIONS REQUEST-SEQUENCES CATALOG-ENTRIES REQUESTS provided by generate use generate allows
Noun API reference
Relationships
RESOURCE GRANT ENTITLEMENT-BUNDLE ENTITLEMENT REVIEW REQUEST (v1) CAMPAIGN REQUEST-CONDITIONS has many has many has many has many has many referenced by referenced by CAMPAIGN setting remediationSettings setting resourceSettings setting reviewerSettings setting scheduleSettings setting notificationSettings setting principalScopeSettings STATUS REVIEWS has generates REVIEW CAMPAIGN RESOURCE PRINCIPAL REVIEWER DECISION REMEDIATION HISTORY created by has has has made by reviewer has has REQUEST-CONDITION settings resourceSettings settings requesterSettings settings accessSettings settings approvalSettings CATALOG-ENTRY generates ENTRY RESOURCE CHILD-ENTRY ACCESS-SCOPE GROUP ENTITLEMENT-BUNDLE ENTITLEMENT-VALUE represents one could have children related to related to via via via
Governance Engine
Resource - "An object that may be governed"
RESOURCE string resourceId enum resourceType string name string description ENTITLEMENTS when resourceType = APP
Entitlements - A collection of entitlement with corresponding allowed values
ENTITLEMENT string id string name string displayName string description boolean multiValue boolean required ENTITLEMENT-VALUE string id string displayName string value string description RESOURCE has all belongs to parent
Entitlement Bundle
ENTITLEMENT-BUNDLE string name string description ENTITLEMENTS RESOURCE ENTITLEMENT-VALUE has some belongs to with selected belongs to
Grant
GRANT enum grantType enum action settings scheduleSettings enum status TARGET-PRINCIPAL RESOURCE string type string externalId ENTITLEMENTS ENTITLEMENT-BUNDLE granted to for a target may have may have
Principal Entitlement : Assigned entitlement with values for a Principal
PRINCIPAL-ENTITLEMENT string id string name string displayName string description boolean multiValue boolean required ENTITLEMENT-VALUE string id string displayName string value string description RESOURCE TARGET-PRINCIPAL with belongs to parent assigned to
Governance object lifecycles
Governance objects have lifecycles that are driven by system and user interactions.
When using governance APIs, it is important to understand the potential status values of objects, and how they transition from one lifecycle state to another.
Campaign
Campaign status lifecycle
/launch
background job
background job
background job
/end
background purger
/delete
/delete
404 Not found
SCHEDULED
LAUNCHING
ACTIVE
ERROR
COMPLETED
The following lifecycle operations are available on single Request Types.
Request condition
Request condition lifecycle
POST
/activate
PATCH
DELETE
PATCH
/deactivate
PATCH
DELETE
404 Not found
new condition
INACTIVE
ACTIVE
INVALID
A request condition may transition to INVALID status if:
The resource is deleted.
All groups referenced in its
requesterSettings
have been deleted.
All groups referenced in its
accessScopeSettings
have been deleted.
All entitlement bundles referenced in its
accessScopeSettings
have been deleted.
All entitlements referenced in its
accessScopeSettings
have been deleted.
The resource opted out of governance engine, but its
accessScopeSettings
reference an entitlement bundle or entitlement.
The transition to INVALID status may occur when:
The system notices any of the aforementioned states during a related API operation (Create request, etc...)
Periodically when request condition integrity is checked
Request
Request.status lifecycle
POST
system action, request available in Inbox
system action, request invalid
required approvals approved in Inbox
any approval rejects in Inbox
requester cancels in Inbox
new request
SUBMITTED
PENDING
REJECTED
APPROVED
DENIED
CANCELED
Request.grantStatus lifecycle
Only applicable if Request.status === 'APPROVED'
system action
assign to app success
add to group success
create grant success
assign to app failure
add to group failure
create grant failure
certain cases (app group?)
Request.status==APPROVED
Request.grantStatus=PENDING
Request.grantStatus=GRANTED
Request.grantStatus=FAILED
Request.grantStatus=MANUAL_GRANT_REQUIRED
Request.revocationStatus lifecycle
Only applicable if Request.accessDuration is defined.
system action
accessDuration exceeded, successful access revocation
accessDuration exceeded, failed access revocation
Request.grantStatus==GRANTED
Request.revocationStatus=PENDING, revocationScheduled=TIMESTAMP
Request.revocationStatus=REVOKED
Request.revocationStatus=FAILED
Access Request v1 (Request types)
REQUEST-TYPES (v1) REQUESTS (v1) OWNER (v1) allow administrated by
REQUEST-TYPE (v1) setting approvalSettings setting requestSettings setting resourceSettings OWNER (v1) REQUEST (v1) administrated by allows REQUEST (v1) REQUEST-TYPE (v1) CREATOR (v1) REQUESTER (v1) REQUESTER-FIELD-VALUES (v1) APPROVAL (v1) APPROVER (v1) DECISION (v1) APPROVER-FIELD-VALUES (v1) ACTION (v1) RESOURCE allowed by created-by requested-by provided by requester may require has made by approver provided by approver may generate has OWNER (v1) TEAM (v1) MEMBER (v1) OKTA-USER is has is
Request Type
Request Type status lifecycle
/publish
DELETE /request-types/:requestTypeId
/un-publish
Invalid state detected during an operation
404 Not found
DRAFT
ACTIVE
DISABLED
The only terminal state for a Request Type is when the resource can no longer be found.
A DISABLED Request Type may be repaired through the administrative portal and re-enter a DRAFT or ACTIVE state.
The following lifecycle operations are available on single Request Types.
V1 Request
V1 Request.requestStatus lifecycle
Moved to pending in UI
Moved to resolved in UI
OPEN
PENDING
RESOLVED
A Request progresses in its lifecycle state based on team or administrative actions on a variety of channels, including:
Access Request portal
Slack
Microsoft teams
The following lifecycle operations are available on single Request.