Skip to content
/
Overview
Last updated on

Okta Identity Governance API

Okta Identity Governance is a SaaS-delivered, converged and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.

Okta Identity Governance builds upon the existing Okta Life Cycle Management products, such as Provisioning and Workflows, which help enterprises simplify access fulfillment and entitlement tasks throughout a user’s identity lifecycle.

Note: You can use the Okta Identity Governance APIs if you're subscribed to Okta Identity Governance. The APIs that are in Beta are available on both the Preview and Production environments. Contact your Customer Success Manager or Account Executive for more information.

Domain model

Nouns

provided by

generate

use

generate

allows

RESOURCE

RESOURCE-PROVIDER

CAMPAIGNS

REVIEWS

REQUEST-CONDITIONS

REQUEST-SEQUENCES

CATALOG-ENTRIES

REQUESTS

provided by

generate

use

generate

allows

RESOURCE

RESOURCE-PROVIDER

CAMPAIGNS

REVIEWS

REQUEST-CONDITIONS

REQUEST-SEQUENCES

CATALOG-ENTRIES

REQUESTS

Noun API reference

Relationships

has many

has many

has many

has many

has many

referenced by

referenced by

RESOURCE

GRANT

ENTITLEMENT-BUNDLE

ENTITLEMENT

REVIEW

REQUEST (v1)

CAMPAIGN

REQUEST-CONDITIONS

has many

has many

has many

has many

has many

referenced by

referenced by

RESOURCE

GRANT

ENTITLEMENT-BUNDLE

ENTITLEMENT

REVIEW

REQUEST (v1)

CAMPAIGN

REQUEST-CONDITIONS

has

generates

CAMPAIGN

setting

remediationSettings

setting

resourceSettings

setting

reviewerSettings

setting

scheduleSettings

setting

notificationSettings

setting

principalScopeSettings

STATUS

REVIEWS

has

generates

CAMPAIGN

setting

remediationSettings

setting

resourceSettings

setting

reviewerSettings

setting

scheduleSettings

setting

notificationSettings

setting

principalScopeSettings

STATUS

REVIEWS

created by

has

has

has

made by reviewer

has

has

REVIEW

CAMPAIGN

RESOURCE

PRINCIPAL

REVIEWER

DECISION

REMEDIATION

HISTORY

created by

has

has

has

made by reviewer

has

has

REVIEW

CAMPAIGN

RESOURCE

PRINCIPAL

REVIEWER

DECISION

REMEDIATION

HISTORY

generates

REQUEST-CONDITION

settings

resourceSettings

settings

requesterSettings

settings

accessSettings

settings

approvalSettings

CATALOG-ENTRY

generates

REQUEST-CONDITION

settings

resourceSettings

settings

requesterSettings

settings

accessSettings

settings

approvalSettings

CATALOG-ENTRY

represents one

could have children

related to

related to

via

via

via

ENTRY

RESOURCE

CHILD-ENTRY

ACCESS-SCOPE

GROUP

ENTITLEMENT-BUNDLE

ENTITLEMENT-VALUE

represents one

could have children

related to

related to

via

via

via

ENTRY

RESOURCE

CHILD-ENTRY

ACCESS-SCOPE

GROUP

ENTITLEMENT-BUNDLE

ENTITLEMENT-VALUE

Entitlement management

Resource - "An object that may be governed"

when resourceType = APP

RESOURCE

string

resourceId

0oa...,00g...,00e...

enum

resourceType

APP, GROUP

string

name

Salesforce instance, Engineers, Salesforce Admin

string

description

This instance..., This group...

ENTITLEMENTS

when resourceType = APP

RESOURCE

string

resourceId

0oa...,00g...,00e...

enum

resourceType

APP, GROUP

string

name

Salesforce instance, Engineers, Salesforce Admin

string

description

This instance..., This group...

ENTITLEMENTS

Entitlements - A collection of entitlement with corresponding allowed values

has all

belongs to parent

ENTITLEMENT

string

id

string

name

string

displayName

string

description

boolean

multiValue

boolean

required

ENTITLEMENT-VALUE

string

id

string

displayName

string

value

string

description

RESOURCE

has all

belongs to parent

ENTITLEMENT

string

id

string

name

string

displayName

string

description

boolean

multiValue

boolean

required

ENTITLEMENT-VALUE

string

id

string

displayName

string

value

string

description

RESOURCE

Entitlement Bundle

has some

belongs to

with selected

belongs to

ENTITLEMENT-BUNDLE

string

name

string

description

ENTITLEMENTS

RESOURCE

ENTITLEMENT-VALUE

has some

belongs to

with selected

belongs to

ENTITLEMENT-BUNDLE

string

name

string

description

ENTITLEMENTS

RESOURCE

ENTITLEMENT-VALUE

Collection - A group of resources and associated entitlements

contains

contains

belongs to

COLLECTION

string

name

string

description

RESOURCE

ENTITLEMENT

contains

contains

belongs to

COLLECTION

string

name

string

description

RESOURCE

ENTITLEMENT

for a target

assigned to

generates one or more

COLLECTION-ASSIGNMENT

COLLECTION

PRINCIPAL

GRANTS

for a target

assigned to

generates one or more

COLLECTION-ASSIGNMENT

COLLECTION

PRINCIPAL

GRANTS

Grant

granted to

for a target

may have

may have

GRANT

enum

grantType

enum

action

settings

scheduleSettings

enum

status

TARGET-PRINCIPAL

RESOURCE

string

type

string

externalId

ENTITLEMENTS

ENTITLEMENT-BUNDLE

granted to

for a target

may have

may have

GRANT

enum

grantType

enum

action

settings

scheduleSettings

enum

status

TARGET-PRINCIPAL

RESOURCE

string

type

string

externalId

ENTITLEMENTS

ENTITLEMENT-BUNDLE

Principal Entitlement : Assigned entitlement with values for a Principal

with

belongs to parent

assigned to

PRINCIPAL-ENTITLEMENT

string

id

string

name

string

displayName

string

description

boolean

multiValue

boolean

required

ENTITLEMENT-VALUE

string

id

string

displayName

string

value

string

description

RESOURCE

TARGET-PRINCIPAL

with

belongs to parent

assigned to

PRINCIPAL-ENTITLEMENT

string

id

string

name

string

displayName

string

description

boolean

multiValue

boolean

required

ENTITLEMENT-VALUE

string

id

string

displayName

string

value

string

description

RESOURCE

TARGET-PRINCIPAL

Governance object lifecycles

Governance objects have lifecycles that are driven by system and user interactions.

When using governance APIs, it is important to understand the potential status values of objects, and how they transition from one lifecycle state to another.

Campaign

Campaign status lifecycle

/launch

background job

background job

background job

/end

background purger

/delete

/delete

404 Not found

SCHEDULED

LAUNCHING

ACTIVE

ERROR

COMPLETED

/launch

background job

background job

background job

/end

background purger

/delete

/delete

404 Not found

SCHEDULED

LAUNCHING

ACTIVE

ERROR

COMPLETED

The following lifecycle operations are available on single Request Types.

Request condition

Request condition lifecycle

POST

/activate

PATCH

DELETE

PATCH

/deactivate

PATCH

DELETE

404 Not found

new condition

INACTIVE

ACTIVE

INVALID

POST

/activate

PATCH

DELETE

PATCH

/deactivate

PATCH

DELETE

404 Not found

new condition

INACTIVE

ACTIVE

INVALID

A request condition may transition to INVALID status if:

  • The resource is deleted.
  • All groups referenced in its requesterSettings have been deleted.
  • All groups referenced in its accessScopeSettings have been deleted.
  • All entitlement bundles referenced in its accessScopeSettings have been deleted.
  • All entitlements referenced in its accessScopeSettings have been deleted.
  • The resource opted out of entitlement management, but its accessScopeSettings reference an entitlement bundle or entitlement.

The transition to INVALID status may occur when:

  • The system notices any of the aforementioned states during a related API operation (Create request, etc...)
  • Periodically when request condition integrity is checked

Request

Request.status lifecycle

POST

system action, request available in Access Requests

system action, request invalid

required approvals approved

any approval rejects

requester cancels

request expires

new request

SUBMITTED

PENDING

REJECTED

APPROVED

DENIED

CANCELED

EXPIRED

POST

system action, request available in Access Requests

system action, request invalid

required approvals approved

any approval rejects

requester cancels

request expires

new request

SUBMITTED

PENDING

REJECTED

APPROVED

DENIED

CANCELED

EXPIRED

Request.grantStatus lifecycle

Only applicable if Request.status === 'APPROVED'

system action

assign to app success

add to group success

create grant success

assign to app failure

add to group failure

create grant failure

certain cases (app group?)

Request.status==APPROVED

Request.grantStatus=PENDING

Request.grantStatus=GRANTED

Request.grantStatus=FAILED

Request.grantStatus=MANUAL_GRANT_REQUIRED

system action

assign to app success

add to group success

create grant success

assign to app failure

add to group failure

create grant failure

certain cases (app group?)

Request.status==APPROVED

Request.grantStatus=PENDING

Request.grantStatus=GRANTED

Request.grantStatus=FAILED

Request.grantStatus=MANUAL_GRANT_REQUIRED

Request.revocationStatus lifecycle

Only applicable if Request.accessDuration is defined.

system action

accessDuration exceeded, successful access revocation

accessDuration exceeded, failed access revocation

Request.grantStatus==GRANTED

Request.revocationStatus=PENDING, revocationScheduled=TIMESTAMP

Request.revocationStatus=REVOKED

Request.revocationStatus=FAILED

system action

accessDuration exceeded, successful access revocation

accessDuration exceeded, failed access revocation

Request.grantStatus==GRANTED

Request.revocationStatus=PENDING, revocationScheduled=TIMESTAMP

Request.revocationStatus=REVOKED

Request.revocationStatus=FAILED

Collection

Collection lifecycle

POST /collections

POST /collections/{id}/resources

DELETE /collections/{id}/resources/{id}

DELETE /collections/{id}

GET /collections/{id}

404 Not Found

No Collection

Empty Collection

Collection with Resources

No Collection

POST /collections

POST /collections/{id}/resources

DELETE /collections/{id}/resources/{id}

DELETE /collections/{id}

GET /collections/{id}

404 Not Found

No Collection

Empty Collection

Collection with Resources

No Collection

Collection assignment processing lifecycle

POST /collections/{id}/assignments

background job

background job fails

PUT /collections/{id}/resources/id

DELETE /collections/{id}/assignments/{id}

background job

Collection Assignment Removed, Grants Removed

Collection Assignment Updated, Grants Pending

Collection Assigned, Grants Created

Syslog event for failed assignment

Collection Assignment Removed, Grants Remain

POST /collections/{id}/assignments

background job

background job fails

PUT /collections/{id}/resources/id

DELETE /collections/{id}/assignments/{id}

background job

Collection Assignment Removed, Grants Removed

Collection Assignment Updated, Grants Pending

Collection Assigned, Grants Created

Syslog event for failed assignment

Collection Assignment Removed, Grants Remain

Access Request v1 (Request types)

allow

administrated by

REQUEST-TYPES (v1)

REQUESTS (v1)

OWNER (v1)

allow

administrated by

REQUEST-TYPES (v1)

REQUESTS (v1)

OWNER (v1)

administrated by

allows

REQUEST-TYPE (v1)

setting

approvalSettings

setting

requestSettings

setting

resourceSettings

OWNER (v1)

REQUEST (v1)

administrated by

allows

REQUEST-TYPE (v1)

setting

approvalSettings

setting

requestSettings

setting

resourceSettings

OWNER (v1)

REQUEST (v1)

allowed by

created-by

requested-by

provided by requester

may require

has

made by approver

provided by approver

may generate

has

REQUEST (v1)

REQUEST-TYPE (v1)

CREATOR (v1)

REQUESTER (v1)

REQUESTER-FIELD-VALUES (v1)

APPROVAL (v1)

APPROVER (v1)

DECISION (v1)

APPROVER-FIELD-VALUES (v1)

ACTION (v1)

RESOURCE

allowed by

created-by

requested-by

provided by requester

may require

has

made by approver

provided by approver

may generate

has

REQUEST (v1)

REQUEST-TYPE (v1)

CREATOR (v1)

REQUESTER (v1)

REQUESTER-FIELD-VALUES (v1)

APPROVAL (v1)

APPROVER (v1)

DECISION (v1)

APPROVER-FIELD-VALUES (v1)

ACTION (v1)

RESOURCE

is

has

is

OWNER (v1)

TEAM (v1)

MEMBER (v1)

OKTA-USER

is

has

is

OWNER (v1)

TEAM (v1)

MEMBER (v1)

OKTA-USER

Request Type

Request Type status lifecycle

/publish

DELETE /request-types/:requestTypeId

/un-publish

Invalid state detected during an operation

404 Not found

DRAFT

ACTIVE

DISABLED

/publish

DELETE /request-types/:requestTypeId

/un-publish

Invalid state detected during an operation

404 Not found

DRAFT

ACTIVE

DISABLED

The only terminal state for a Request Type is when the resource can no longer be found.

A DISABLED Request Type may be repaired through the administrative portal and re-enter a DRAFT or ACTIVE state.

The following lifecycle operations are available on single Request Types.

V1 Request

V1 Request.requestStatus lifecycle

Moved to pending in UI

Moved to resolved in UI

OPEN

PENDING

RESOLVED

Moved to pending in UI

Moved to resolved in UI

OPEN

PENDING

RESOLVED

A Request progresses in its lifecycle state based on team or administrative actions on a variety of channels, including:

  • Access Request portal
  • Slack
  • Microsoft teams

The following lifecycle operations are available on single Request.

Previous page
Next page