Changelog
Contains a log of all API changes.
Breaking changes may only occur during the BETA lifecycle of an API, and will be minimized as much as possible.
2024.11.1
FIX - Update to Retrieve My Request API
-
Updated the
requesterFieldValues
object for the 'Retrieve My Request API' . This object now contains the list of field values that were populated while submitting an Access Request.
2024.11.0
FEATURE - new Access Requests APIs
- At the left sidebar, split API reference into Management APIs and Enduser APIs .
- Added Access Requests - V2 administrative APIs for:
- Added End user APIs for:
FEATURE - Enhanced Group Remediation
- Added a new property in the 'Create a campaign' operation to accept /remediationSettings/autoRemediationSettings .
FEATURE - Update to Campaigns API
-
Updated the
principalScopeSettings
object for the Campaigns API . This object now includes thepredefinedInactiveUsersScope
property that identifies the duration that users have not used single sign-on (SSO) to access their account within a specific time frame.
2024.10.0
FIX - Remove ENTITLEMENT_VALUES from access-scope settings for Access Request condition APIs
-
Removed the
ENTITLEMENT_VALUES
from the access-scope settings from the following APIs:
2024.09.0
FEATURE - OAuth2 scopes for Access Request conditions and requests APIs, first BETA release
-
OAuth2 scopes for Access Requests condition and request APIs:
- okta.accessRequests.condition.manage
- okta.accessRequests.condition.read
- okta.accessRequests.request.manage
- okta.accessRequests.request.read
2024.08.0
FEATURE - New Access request condition APIs, first BETA release
- Added Access request V2 administrative APIs for:
- Access request V1 administrative APIs (Request types & Requests) remain unchanged.
2024.06.2
FEATURE - Added support to include only active users in the campaign
- Added a new property in the 'Create a campaign' operation to accept /principalScopeSettings/includeOnlyActiveUsers .
2024.06.0
FIX - Update Admin Role Campaign Defaults
-
Updated
bulkDecisionDisabled
to no longer be required for Admin Role campaigns.
2024.04.0
FEATURE - Added following Beta APIs for ENTITLEMENT MANAGEMENT feature
DEPRECATE - List all entitlements will no longer return values
- To fetch values for a given entitlement, use List all values for an entitlement or List all entitlement values
FEATURE - Ability to create campaigns on Okta Admin Console for reviewing admin roles
- Updated the 'Create a campaign' operation to support governance for admin roles in resource-centric campaigns.
- Added support for 'justificationRequired' and 'bulkDecisionDisabled' and replaced 'isSelfReviewDisabled' with 'selfReviewDisabled'
-
Also, these fields are now required to be marked as
true
for Admin Role campaigns.
FIX - OAuth2 scope documentation
-
Fixed the documentation of required scopes for Request Types, Requests, and Teams operations to correct values.
-
Incorrect old documentation listed :
okta.governance.accessRequest.manage
,okta.governance.accessRequest.read
-
New correct documentation:
okta.governance.accessRequests.manage
,okta.governance.accessRequests.read
-
Incorrect old documentation listed :
BETA - Breaking changes
FIX - Resource name and description is no longer populated in responses for ENTITLEMENT MANAGEMENT feature APIs (Entitlements, Entitlement Bundles, Grants, and Principal Entitlements)
2023.09.0
FEATURE - Added following Beta APIs for ENTITLEMENT MANAGEMENT feature
FEATURE - Added support for certifying entitlement-enabled resources to 'Campaigns' and 'Reviews' Apis
'Create', 'List', 'Retrieve', 'Delete', 'Launch' and 'End' campaigns containing entitlement enabled resources.
'List', 'Reassign' and 'Retrieve' items reviewing app entitlements.
2023.08.0
FIX - startReview in 'Create a Campaign' is required
Fixed 'Create a campaign' operation to show /reviewerSettings/reviewerLevels/startReview as required
field.
2023.07.0
DEPRECATE - /governance/api/v1/campaigns/{campaignId}/delete endpoint
Deprecated this endpoint in favour of 'Delete Campaign' to be consistent with other DELETE endpoints.
Existing /delete
endpoint will continue to work until it is removed in future release.
2023.06.0
FEATURE - Ability to create recurring campaigns
Updated 'Create a campaign' operation to support defining a recurring schedule by allowing new types described in /scheduleSettings/type. During creation of a campaign, you can provide the additional details described at /scheduleSettings/recurrence to setup the recurrence. These settings will also be reflected in 'List all campaigns' and 'Retrieve a campaign'
FEATURE - Ability to create campaigns with a group or group owner as reviewer
Updated 'Create a campaign' operation to support setting a Group or Group Owner as reviewer, as is currently supported in the UI by allowing new types described in /reviewerSettings/type. During creation of a campaign, when defining the reviewer, new settings are available and described at /reviewerSettings/reviewerGroupId. These settings will also be reflected in 'List all campaigns', 'Retrieve a campaign', 'List all reviews' and 'Retrieve a review'
FEATURE - Ability to create multi-level campaigns
Updated 'Create a campaign' to support Multi-level campaigns, as is currently supported in the UI, but allowing new types described in /reviewerSettings/type. During creation of a campaign, you can provide multi-level reviewer details described at /reviewerSettings/reviewerLevels. These settings will also be reflected in 'List all campaigns', 'Retrieve a campaign', 'List all reviews', 'Retrieve a review' and 'Reassign the reviews'
FEATURE - Ability to create user campaigns
Updated 'Create a campaign' operation to allow creation of User Campaigns, currently available as self-service EA in the UI, by allowing new types described in /principalScopeSettings/type. During creation of a campaign, you can choose to create Resource Campaigns (the existing type) or User Campaigns, with settings described at /principalScopeSettings. These settings will also be reflected in 'Retrieve a campaign'
FEATURE - Ability to create a message on a request
Added 'Create a message for a request' operation to allow creation of a message for an existing request.
2023.03.1
BETA - Breaking changes
FIX - reviewerSettings.type in 'Create a campaign' and 'Retrieve a campaign' operations
Fixed 'Create a campaign' and 'Retrieve a campaign' operations to properly accept and return the /reviewerSettings/type enum value REVIEWER_EXPRESSION
instead of REVIEWER-EXPRESSION
.
2023.03.0
Features
FEATURE - Resource owner approval type
Added the RESOURCE_OWNER
value to the approvalType parameter for Create a request type.
This update enables the creation of request types that require approvals from the owner of the resource specified in targetResources.
Currently, Okta only supports a group resource, that is, when resourceSettings.type is GROUPS
.
This change has no impact on any previously created request types.
2023.02.0
Fixes
FIX - An HTTP 500 Internal Server Error was returned for some operations
-
Fixed the case when a
Retrieve a request type
would 500 if the
accessDuration
was controlled by a
DATE-TIME
field in aCUSTOM
request type. -
Fixed the case when a
Retrieve a request
would 500 if an
ADD_USER_TO_GROUP
orASSIGN_APP_TO_USER
action failed to run, and then was manually closed by a team member.
2023.01.0
BETA - Breaking changes
FEATURE - Request type approval settings
Added new option NONE
for approvalSettings.type for Create a request type.
This enables the creation of request types that don't have any required approvals.
approvalSettings is now a required property. Attempting to create a request type without specifying approvalSettings will result in a 400 Bad Request response.
Allowing for this use case requires modification of the default value for approvalSettings.
Integrations relying on the default specification of one approval by the requester's manager must now explicity specify approvalSettings.type of SERIAL
and include a manager approval object when creating the request type.
Check below for an example of a request body that used to return a 200 response code, that will now return a 400 response code.
Example
{
"name": "salesforce-01",
"description": "How users can request access to Admin Group",
"ownerId": "61eb0f06c462d20007f051ac",
"resourceSettings": {
"type": "GROUPS",
"targetResources": [
{
"resourceId": "00g1emaKYZTWRYYRRTSK"
}
]
}
}
This change has no impact on any previously created request types.
info
approvalSettings with no required approvers
{"type":"NONE"}
approvalSettings with requester manager approver required
{"type":"SERIAL","approvals":[{"approverType":"MANAGER"}]}
FIX - createdBy in 'Retrieve a request' and 'List all requests' operations
Fixed 'Retrieve a request' and 'List all requests' operations to properly return the createdBy id of the authenticated user, which can be distinct from requesterUserIds
FIX - requesterFieldValues and approvals/0/fieldValues in 'Retrieve a request' operation
Fixed the data type of /requesterFieldValues/0/value in 'Retrieve a request' response body for fields of type DATE-TIME
to match API reference.
info
Old date time value
1665148010117
New date time value per API reference
2022-10-07T13:06:50.117Z
Features
- Added requesterFieldValues to Create a request operation request body. This enables creation of requests using a request type with required fields.
- Added approvalSettings.approvals.description to Create a request operation request body. This enables creation of a request types with description for required approvals.
-
'Retrieve a request'
now returns a request with type
ACCESS_REQUEST
, and includes theapprovals
andactions
objects. Prior to this change if a request was created using a request type withCUSTOM
modifications in the administrative UI, the request had typeCUSTOM
which omitted theapprovals
andactions
objects.
Note: While there are aspects of requests based on CUSTOM request types which may not be represented in API responses, the
actions
andapprovals
information included in the API response are now reliable.
Fixes
- Fixed 'Retrieve a request' and 'List all requests' operations to properly return the createdBy id of the authenticated user, which can be distinct from requesterUserIds .
- Fixed handling of a number of invalid HTTP requests to properly return 4xx status codes instead of 500.
Documentation updates
- Added changelog
- Clarified documentation of accessDuration property in Create a request type body to indicate we only support durations which contain minutes, not months.