Grants represent an assignment or revocation of entitlements or entitlement bundles to a principal. A principal can have multiple grants.
Grant types can have different behavior characteristics.
A principal and resource can only have a single base grant. Creating a base grant type replaces all other existing grants. The following grant types are available:
A principal entitlement can have multiple additive grant types. These are applied based on the order that they were granted. Currently, only the following grant type is available:
Creates a grant request with a specific grant type (grantType
)
The grant request parameters depend on the selected grantType
A successful grant creation operation
An invalid request to create an entitlement bundle
When authentication fails
When authorization fails
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
{- "grantType": "ENTITLEMENT-BUNDLE",
- "entitlementBundleId": "enbfxqCAJWWGELFTYCCC",
- "actor": "ACCESS_REQUEST",
- "targetPrincipal": {
- "externalId": "00ufxqCAJWWGELFTYCCC",
- "type": "OKTA_USER"
}
}
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "ENTITLEMENT-BUNDLE",
- "entitlementBundleId": "enbfxqCAJWWGELFTYCCC",
- "action": "ALLOW",
- "actor": "ACCESS_REQUEST",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "status": "ACTIVE",
- "_links": {
- "entitlementBundle": {
},
}
}
Lists active grants (status="ACTIVE"
) for your org.
The filter expression (?filter=
) is required.
Pagination parameters are accepted. Standard link headers are in the response.
By default, results are sorted by id
.
after | string non-empty The pagination cursor that points to the last record of the previous request | ||||||
filter required | string <scim-filter> A filter expression that returns entries based on the following properties:
The
filter=target.externalId eq "0oafxqCAJWWGELFTYASJ" AND target.type eq "APPLICATION" AND targetPrincipal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND targetPrincipal.type eq "OKTA_USER" filter=targetResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" AND targetPrincipalOrn eq "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR" filter=targetResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" filter=targetResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" AND entitlementBundleId eq "enbllojq9J9J105DL1d6" filter=target.externalId eq "0oafxqCAJWWGELFTYASJ" AND target.type eq "APPLICATION" AND entitlements.values.id eq "entfxqCAJWWFTFUUYBBB" filter=target.externalId eq "0oafxqCAJWWGELFTYASJ" AND target.type eq "APPLICATION" AND entitlements.id eq "espfxqCAJWWFTFUUYKKK" filter=target.externalId eq "0oafxqCAJWWGELFTYASJ" AND target.type eq "APPLICATION" AND (entitlements.values.id eq "entfxqCAJWWFTFUUYBBB" OR entitlements.values.id eq "entfxqCAJWWFTFUUYXXX" OR entitlementBundleId eq "enbllojq9J9J105DL1d6") filter=target.externalId eq "0oafxqCAJWWGELFTYASJ" AND target.type eq "APPLICATION" AND action eq "ALLOW" | ||||||
include | Array of strings The
include=full_entitlements include=metadata | ||||||
limit | integer [ 1 .. 200 ] Default: 20 The maximum number of records returned in a response |
Get grants
An invalid request to list grants
When authentication fails
When authorization fails
When the requested resource wasn't found
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
A principal user can have active POLICY
grants and ENTITLEMENT-BUNDLE
grants. This is common when an entitlement policy grants a user an entitlement, and then a user requests access to a specific entitlement bundle at a later date.
{- "data": [
- {
- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "ENTITLEMENT-BUNDLE",
- "entitlementBundleId": "enbfxqCAJWWGELFTYCCC",
- "action": "ALLOW",
- "actor": "ACCESS_REQUEST",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "status": "ACTIVE",
- "_links": {
- "entitlementBundle": {
}
}
}, - {
- "id": "0ggb0oNGTSWTBKOJGDS",
- "created": "2022-03-23T11:11:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-03-23T11:11:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "POLICY",
- "action": "ALLOW",
- "actor": "NONE",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "status": "ACTIVE",
}
], - "_links": {
}
}
Retrieves the full detail of a specific grant
Get grant
When authentication fails
When authorization fails
When the requested resource wasn't found
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "ENTITLEMENT-BUNDLE",
- "entitlementBundleId": "enbfxqCAJWWGELFTYCCC",
- "action": "ALLOW",
- "actor": "ACCESS_REQUEST",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "status": "ACTIVE",
- "_links": {
- "entitlementBundle": {
},
}
}
Replaces the entitlements of a grant with a specific id
.
You can only replace objects in the entitlements
array for a grant with the CUSTOM
grant type.
This may result in changes to principal entitlements.
The grant request parameters depend on the selected grantType
required | object Links available on a single grant representation |
action required | string Default: "ALLOW" The action to be taken for a grant |
actor required | string Default: "API" The actor sending the grant request |
grantType required | string Type of grant |
id required | string non-empty Unique identifier for the object |
status required | string The state of the particular grant setting |
required | object Representation of a resource |
required | object Representation of a principal |
targetPrincipalOrn required | string <okta-user-orn> The Okta user See Supported resources. |
targetResourceOrn required | string <okta-resource-orn> The Okta app instance, in ORN format. See the ORN format for a specific app in Supported resouces. |
entitlementBundleId | string <entitlement-bundle-id> = 20 characters The entitlement bundle |
Array of objects Collection of entitlements and associated value identifiers | |
object Grant metadata properties | |
object Scheduler specific settings applicable to a grant. |
A successful grant creation operation
An invalid request to create an entitlement bundle
When authentication fails
When authorization fails
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
Update custom grant entitlements.
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "CUSTOM",
- "action": "ALLOW",
- "actor": "API",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "entitlements": [
- {
- "id": "espo3v6xlwdtEX2il1d6",
- "values": [
- {
- "id": "ento3v6xmkviXCltm1d6"
}, - {
- "id": "ento3v6xk6nOq7lm51d6"
}
]
}, - {
- "id": "esp4rg7fkom0c3AsX8g6",
- "values": [
- {
- "id": "ent4rg7fltWSgrlDT8g6"
}
]
}
], - "status": "ACTIVE",
- "_links": {
}
}
Grant a resource with custom entitlements
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "CUSTOM",
- "action": "ALLOW",
- "actor": "API",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "entitlements": [
- {
- "id": "espo3v6xlwdtEX2il1d6",
- "values": [
- {
- "id": "ento3v6xmkviXCltm1d6"
}, - {
- "id": "ent6asdxmkvabcltm3g5"
}
]
}, - {
- "id": "esp4rg7fkom0c3AsX8g6",
- "values": [
- {
- "id": "ent4rg7fltWSgrlDT8g6"
}, - {
- "id": "ent4rg7fu190Eg75a8g6"
}
]
}
], - "status": "ACTIVE",
- "_links": {
}
}
Updates a grant expiry date.
You can only update the scheduleSettings.expirationDate
property for a grant.
A successful grant patch operation
An invalid request to patch expiration date for grant
When authentication fails
When authorization fails
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
Update grant's expiration date.
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "scheduleSettings": {
- "expirationDate": "2022-11-24T14:15:22Z"
}
}
{- "id": "0ggb0oNGTSWTBKOLGLNR",
- "created": "2022-05-24T14:15:22Z",
- "createdBy": "00ub0oNGTSWTBKOLGLNR",
- "lastUpdated": "2022-05-24T14:15:22Z",
- "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
- "grantType": "ENTITLEMENT-BUNDLE",
- "entitlementBundleId": "enbfxqCAJWWGELFTYCCC",
- "action": "ALLOW",
- "actor": "API",
- "targetResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "target": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "status": "ACTIVE",
- "scheduleSettings": {
- "expirationDate": "2022-11-24T14:15:22Z",
- "timeZone": "America/Toronto"
}, - "_links": {
- "entitlementBundle": {
},
}
}