Principal Entitlements represent the effective entitlements for a user and resource after evaluating all grants.
See Entitlement Management for more information.
Retrieves the principal's effective entitlements for a specific resource
filter required | string <scim-filter> Apply various filters by using supported principal entitlements filtering properties. Note: Query parameter percent encoding is required. See Percent-encoding Query param: ?filter=parent.externalId eq "0oafxqCAJWWGELFTYASJ" AND parent.type eq "APPLICATION" AND targetPrincipal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND targetPrincipal.type eq "OKTA_USER" filter=parent.externalId%20eq%20%220oafxqCAJWWGELFTYASJ%22%20AND%20parent.type%20eq%20%22APPLICATION%22%20AND%20targetPrincipal.externalId%20eq%20%2200ub0oNGTSWTBKOLGLNR%22%20AND%20targetPrincipal.type%20eq%20%22OKTA_USER%22Query param: ?filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" AND targetPrincipalOrn eq "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR" filter=parentResourceOrn%20eq%20%22orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ%22%20AND%20targetPrincipalOrn%20eq%20%22orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR%22 |
List of all principal entitlements for a specific resource.
An invalid list request
When authentication fails
When authorization fails
When the requested resource wasn't found
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
When a user has been granted some License and Role entitlement's to Salesforce
{- "data": [
- {
- "id": "espo3v6xlwdtEX2il1d6",
- "name": "License",
- "externalValue": "License",
- "description": "This is a license entitlement",
- "multiValue": true,
- "required": false,
- "dataType": "string",
- "targetPrincipalOrn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
- "parent": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "values": [
- {
- "id": "ento3v6xmkviXCltm1d6",
- "name": "A label",
- "externalValue": "A",
- "description": "A label description"
}, - {
- "id": "ento3v6xk6nOq7lm51d6",
- "externalValue": "B",
- "name": "B label",
- "description": "B label description"
}
]
}, - {
- "id": "esp4rg7fkom0c3AsX8g6",
- "name": "Role",
- "externalValue": "Role",
- "description": "This is a role entitlement",
- "multiValue": false,
- "required": false,
- "dataType": "string",
- "targetPrincipal": {
- "externalId": "00ub0oNGTSWTBKOLGLNR",
- "type": "OKTA_USER"
}, - "parent": {
- "externalId": "0oafxqCAJWWGELFTYASJ",
- "type": "APPLICATION"
}, - "values": [
- {
- "id": "ent4rg7fltWSgrlDT8g6",
- "name": "C label",
- "externalValue": "C",
- "description": "C label description"
}
]
}
]
}
Retrieves an entitlement history log for a specific principal and resource.
Specify the required principal and resource references in the filter
query parameter.
You can optionally specify a time range for the returned history log.
after | string The pagination cursor that points to the last record of the previous request. Example: after=00u68w6vzKLultXS97g6 | ||||
filter required | string <scim-filter> This filter expression supports the Required: You must specify both principal and resource references with one of these sets of properties:
Optional: You can optionally filter by a date range with the following properties:
Note: Query parameter percent encoding is required. See Percent-encoding. filter=resource.externalId eq "0oafxqCAJWWGELFTYASJ" AND resource.type eq "APPLICATION" AND principal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND principal.type eq "OKTA_USER" filter=resourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" AND principalOrn eq "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR" filter=resource.externalId eq "0oafxqCAJWWGELFTYASJ" AND resource.type eq "APPLICATION" AND principal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND principal.type eq "OKTA_USER" AND startDate eq "2024-01-01T00:00:00Z" filter=resource.externalId eq "0oafxqCAJWWGELFTYASJ" AND resource.type eq "APPLICATION" AND principal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND principal.type eq "OKTA_USER" AND endDate eq "2024-12-31T23:59:59Z" filter=resource.externalId eq "0oafxqCAJWWGELFTYASJ" AND resource.type eq "APPLICATION" AND principal.externalId eq "00ub0oNGTSWTBKOLGLNR" AND principal.type eq "OKTA_USER" AND startDate eq "2024-01-01T00:00:00Z" AND endDate eq "2024-12-31T23:59:59Z" filter=resourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ" AND principalOrn eq "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00ub0oNGTSWTBKOLGLNR" AND startDate eq "2024-01-01T00:00:00Z" AND endDate eq "2024-12-31T23:59:59Z" filter=resourceId eq "res503IOSVGTK5Jwx0g3" AND principalId eq "pri52knJhV4kPqp9j0g3" | ||||
include | Array of strings An optional parameter that adds additional properties in the
Example: include=counts | ||||
limit | integer [ 1 .. 100 ] Default: 20 The maximum number of records returned in a response |
A successful principal entitlements history response
An invalid list request
When authentication fails
When authorization fails
When the requested resource wasn't found
When the rate limit has been exceeded
When there is a server fault due to an unexpected error
The response to a principal entitlements history request with a startDate
, limit=3
, and include=counts
{- "resourceOrn": "orn:okta:idp:00o1kq5LLpmbGnOtz0g4:apps:oidc_client:0oacvetsS5uY0gCzk0g4",
- "resource": {
- "externalId": "0oacvetsS5uY0gCzk0g4",
- "type": "APPLICATION"
}, - "principalOrn": "orn:okta:directory:00o1kq5LLpmbGnOtz0g4:users:00u1rvrLNphg0QAmP0g4",
- "principal": {
- "externalId": "00u1rvrLNphg0QAmP0g4",
- "type": "OKTA_USER"
}, - "entitlementHistory": [
- {
- "startDate": "2025-05-27T18:02:20Z",
- "endDate": "",
- "lifecycle": "ACTIVE",
- "entitlements": [
- {
- "id": "esp50hqELd8zN24EK0g3",
- "name": "kelly1_policy_ent1",
- "externalValue": "kelly1_policy_ent1",
- "description": "Entitlement granted through some policy",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50iPvQe2pCKXLj0g3",
- "name": "value1",
- "externalValue": "value_1",
- "description": "description for value1"
}, - {
- "id": "ent50jekdX8Pvz7qK0g3",
- "name": "value2",
- "externalValue": "value_2",
- "description": "description for value2"
}
]
}, - {
- "id": "esp50kwLEb7dHf6cR0g3",
- "name": "kelly1_bundle_ent1",
- "externalValue": "kelly1_bundle_ent1",
- "description": "Part 1 of Entitlement granted through some bundle",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50liBN3ncpWpyx0g3",
- "name": "value1",
- "externalValue": "value_1",
- "description": "description for value1"
}
]
}, - {
- "id": "esp50n7nXZizDH2fI0g3",
- "name": "kelly1_bundle_ent2",
- "externalValue": "kelly1_bundle_ent2",
- "description": "Part 2 of Entitlement granted through some bundle",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50oF2BKwZzmk3U0g3",
- "name": "value1",
- "externalValue": "value_1",
- "description": "description for value1"
}
]
}
]
}, - {
- "startDate": "2025-05-27T17:46:06Z",
- "endDate": "2025-05-27T18:02:20Z",
- "lifecycle": "INACTIVE",
- "entitlements": [
- {
- "id": "esp50hqELd8zN24EK0g3",
- "name": "kelly1_policy_ent1",
- "externalValue": "kelly1_policy_ent1",
- "description": "Entitlement granted through some policy",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50iPvQe2pCKXLj0g3",
- "name": "value1",
- "externalValue": "value_1",
- "description": "description for value1"
}, - {
- "id": "ent50jekdX8Pvz7qK0g3",
- "name": "value2",
- "externalValue": "value_2",
- "description": "description for value2"
}
]
}
]
}, - {
- "startDate": "2025-05-27T16:43:54Z",
- "endDate": "2025-05-27T17:46:06Z",
- "lifecycle": "INACTIVE",
- "entitlements": [
- {
- "id": "esp50bptAmBbN6NQD0g3",
- "name": "kelly1_ent2",
- "externalValue": "kelly1_ent2",
- "description": "Some entitlements 2",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50dFEGSm6ULsws0g3",
- "name": "value2",
- "externalValue": "value_2",
- "description": "description for value2"
}
]
}, - {
- "id": "esp50hqELd8zN24EK0g3",
- "name": "kelly1_policy_ent1",
- "externalValue": "kelly1_policy_ent1",
- "description": "Entitlement granted through some policy",
- "multiValue": true,
- "required": false,
- "dataType": "array",
- "values": [
- {
- "id": "ent50iPvQe2pCKXLj0g3",
- "name": "value1",
- "externalValue": "value_1",
- "description": "description for value1"
}, - {
- "id": "ent50jekdX8Pvz7qK0g3",
- "name": "value2",
- "externalValue": "value_2",
- "description": "description for value2"
}
]
}
]
}
], - "_links": {
}, - "metadata": {
- "total": 4
}
}