[BETA] Okta Identity Governance API

Okta Identity Governance is a SaaS-delivered, converged and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.

Okta Identity Governance builds upon the existing Okta Life Cycle Management products, such as Provisioning and Workflows, which help enterprises simplify access fulfillment and entitlement tasks throughout a user’s identity lifecycle.

Domain model

Nouns

RESOURCERESOURCE-PROVIDERCAMPAIGNSREVIEWSREQUEST-TYPESREQUESTSOWNERprovided bygenerateallowadministrated by

Noun API reference

Relationships

RESOURCECAMPAIGNREVIEWREQUEST-TYPEREQUESTOWNER
RESOURCEGRANTENTITLEMENT-BUNDLEENTITLEMENTREVIEWREQUESTCAMPAIGNREQUEST-TYPEhas manyhas manyhas manyhas manyhas manyreferenced byreferenced by
CAMPAIGNsettingremediationSettingssettingresourceSettingssettingreviewerSettingssettingscheduleSettingssettingnotificationSettingssettingprincipalScopeSettingsSTATUSREVIEWShasgenerates
REVIEWCAMPAIGNRESOURCEPRINCIPALREVIEWERDECISIONREMEDIATIONHISTORYcreated byhashashasmade by reviewerhashas
REQUEST-TYPEsettingapprovalSettingssettingrequestSettingssettingresourceSettingsOWNERREQUESTadministrated byallows
REQUESTREQUEST-TYPECREATORREQUESTERREQUESTER-FIELD-VALUESAPPROVALAPPROVERDECISIONAPPROVER-FIELD-VALUESACTIONRESOURCEallowed bycreated-byrequested-byprovided by requestermay requirehasmade by approverprovided by approvermay generatehas
OWNERTEAMMEMBEROKTA-USERishasis

Governance Engine

Resource - "An object that may be governed"

RESOURCEstringresourceId0oa...,00g...,00e...enumresourceTypeAPP, GROUPstringnameSalesforce instance, Engineers, Salesforce AdminstringdescriptionThis instance..., This group...ENTITLEMENTSwhen resourceType = APP

Entitlements - A collection of entitlement with corresponding allowed values

ENTITLEMENTstringidstringnamestringdisplayNamestringdescriptionbooleanmultiValuebooleanrequiredENTITLEMENT-VALUEstringidstringdisplayNamestringvaluestringdescriptionRESOURCEhas allbelongs to parent

Entitlement Bundle

ENTITLEMENT-BUNDLEstringnamestringdescriptionENTITLEMENTSRESOURCEENTITLEMENT-VALUEhas somebelongs towith selectedbelongs to

Grant

GRANTenumgrantTypeenumactionsettingsscheduleSettingsenumstatusTARGET-PRINCIPALRESOURCEstringtypestringexternalIdENTITLEMENTSENTITLEMENT-BUNDLEgranted tofor a targetmay havemay have

Principal Entitlement : Assigned entitlement with values for a Principal

PRINCIPAL-ENTITLEMENTstringidstringnamestringdisplayNamestringdescriptionbooleanmultiValuebooleanrequiredENTITLEMENT-VALUEstringidstringdisplayNamestringvaluestringdescriptionRESOURCETARGET-PRINCIPALwithbelongs to parentassigned to

Governance object lifecycles

Governance objects have lifecycles that are driven by system and user interactions.

When using governance APIs, it is important to understand the potential status values of objects, and how they transition from one lifecycle state to another.

Campaign

Campaign status lifecycle

/launch
background job
background job
background job
/end
background purger
/delete
/delete
404 Not found
SCHEDULED
LAUNCHING
ACTIVE
ERROR
COMPLETED

The following lifecycle operations are available on single Request Types.

Request Type

Request Type status lifecycle

/publish
DELETE /request-types/:requestTypeId
/un-publish
Invalid state detected during an operation
404 Not found
DRAFT
ACTIVE
DISABLED

The only terminal state for a Request Type is when the resource can no longer be found.

A DISABLED Request Type may be repaired through the administrative portal and re-enter a DRAFT or ACTIVE state.

The following lifecycle operations are available on single Request Types.

Request

Request.requestStatus lifecycle

Moved to pending in UI
Moved to resolved in UI
OPEN
PENDING
RESOLVED

A Request progresses in its lifecycle state based on team or administrative actions on a variety of channels, including:

  • Access Request portal
  • Slack
  • Microsoft teams

The following lifecycle operations are available on single Request.