Resource Owners

The Resource Owners API allows you to manage assigning owners to resources in your Okta Identity Governance (OIG) org. You can drive automation and simplify OIG configuration by assigning owners to resources, such as apps, groups, and entitlements. For example, resource owners are automatically assign as reviewers for access certifications or requests that are scoped with specific owner-assigned resources.

Configure the resource owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.manage
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.manage
okta.users.read
okta.groups.read

Configures the owners for resources

Request

Request Body schema: application/json
required

resourceOrns required	Array of strings <okta-resource-orn> [ 1 .. 10 ] items The resources to assign owners
principalOrns	Array of strings <okta-principal-orn> [ 0 .. 5 ] items Owners of the resource. If no owners are provided (empty list), then all current owners are removed.

Responses

200

Resource owners success response

400

A request failed validation

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

post/governance/api/v1/resource-owners

Request samples

application/json

{"principalOrns": ["orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g",
"orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u6yl0Q065H4BCPR0g4"
],
"resourceOrns": ["orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6"
]
}

Response samples

application/json

{"data": [{"parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
"resource": {"id": "enbogpaj3XUzcM62u1d6",
"type": "entitlement-bundles",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6",
"profile": {"id": "enbogpaj3XUzcM62u1d6",
"name": "Github admin bundle",
"description": "Github bundle for administrative access"
}
},
"principals": [{"id": "pri10sfroCwbHQO4a0g4",
"type": "users",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g4",
"profile": {"id": "00u10sfroCwbHQO4a0g4",
"name": "Some Name",
"email": "some.name@okta.com",
"_links": {"self": {"href": "https://myorg.okta.com/admin/user/profile/view/00u10sfroCwbHQO4a0g4"
}
}
}
},
{"id": "pri6yl0Q065H4BCPR0g4",
"type": "users",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u6yl0Q065H4BCPR0g4",
"profile": {"id": "00u6yl0Q065H4BCPR0g4",
"email": "someother.name@okta.com",
"name": "Some Other Name",
"_links": {"self": {"href": "https://myorg.okta.com/admin/user/profile/view/00u6yl0Q065H4BCPR0g4"
}
}
}
}
]
}
]
}

List all resources with owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.read
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.read
okta.users.read
okta.groups.read

Lists all resources with assigned owners for an app (the parent resource).

For this request, you must specifiy the filter query parameter with a parentResourceOrn filter expression. This method returns all the resources, such as entitlements or entitlement bundles, that have owners assigned.

Request

query Parameters

after

string

The pagination cursor that points to the last record of the previous request.

Example: after=00u68w6vzKLultXS97g6

filter

required

string <scim-filter>

A filter expression that returns entries based on the following properties and supported operators:

parentResourceOrn: supports eq (required)
resource.orn: supports eq
resource.type: supports eq
resource.profile.name: supports sw and co (both parentResourceOrn and resource.type filters are required for resource.profile.name filtering)

Note: Query parameter percent encoding is required. See Special characters.

Examples:

Filter by parentResourceOrn filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"

Filter by resource orn, which can be an app or a bundle filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.orn eq "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6"

Filter by resource type, which can be an app or a bundle filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles"

Filter by the resource name for a specified resource type, starting with the provided prefix filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles" AND resource.profile.name sw "License"

Filter by the resource name for a specified resource type that contains the provided substring filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles" AND resource.profile.name co "License"

include

Array of strings

Adds additional properties in the response

Items Value:	Description
parent_resource_owner	If the parent resource has an owner assigned, then the parent resource is included in the `data` array response.

Examples:

Include parent resource owners in the response

Query param: ?include=parent_resource_owner

include=parent_resource_owner

limit

integer [ 1 .. 200 ]

Default: 20

The maximum number of records returned in a response

Responses

200

Resource owners list success response

400

A request failed validation

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

get/governance/api/v1/resource-owners

Request samples

Response samples

application/json

{"data": [{"parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
"resource": {"id": "enbogpaj3XUzcM62u1d6",
"type": "entitlement-bundles",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6",
"profile": {"id": "enbogpaj3XUzcM62u1d6",
"name": "Github admin bundle",
"description": "Github bundle for administrative access"
}
},
"principals": [{"id": "pri10sfroCwbHQO4a0g4",
"type": "users",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g4",
"profile": {"id": "00u10sfroCwbHQO4a0g4",
"name": "Some Name",
"email": "some.name@okta.com",
"_links": {"self": {"href": "https://myorg.okta.com/admin/user/profile/view/00u10sfroCwbHQO4a0g4"
}
}
}
},
{"id": "pri6yl0Q065H4BCPR0g4",
"type": "users",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u6yl0Q065H4BCPR0g4",
"profile": {"id": "00u6yl0Q065H4BCPR0g4",
"email": "someother.name@okta.com",
"name": "Some Other Name",
"_links": {"self": {"href": "https://myorg.okta.com/admin/user/profile/view/00u6yl0Q065H4BCPR0g4"
}
}
}
}
]
},
{"parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
"resource": {"id": "entn4WFkzQJhB6QIa0g1",
"type": "entitlement-values",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-values:entn4WFkzQJhB6QIa0g1",
"profile": {"id": "entn4WFkzQJhB6QIa0g1",
"name": "License Entitlement value 1",
"description": "Some license entitlement value",
"parent": {"id": "esp2lr1lavoGDYw5U8g6",
"name": "License Entitlement"
}
}
},
"principals": [{"id": "pri10ctakVI6XlTdk0g4",
"type": "groups",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:groups:00g10ctakVI6XlTdk0g4",
"profile": {"id": "00g10ctakVI6XlTdk0g4",
"name": "Okta Admins Group",
"metaData": {"userAssignmentCount": 2
},
"_links": {"self": {"href": "https://myorg.okta.com/admin/group/00g10ctakVI6XlTdk0g4"
}
}
}
}
]
},
{"parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
"resource": {"id": "enb1spaj3XUzcM62u1d6",
"type": "entitlement-bundles",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enb1spaj3XUzcM62u1d6",
"profile": {"id": "enb1spaj3XUzcM62u1d6",
"name": "Github sub bundle",
"description": "Github sub for administrative access"
}
},
"principals": [{"id": "pri10ctakVI6XlTdk0g4",
"type": "groups",
"orn": "orn:okta:directory:00o11edPwGqbUrsDm0g4:groups:00g10ctakVI6XlTdk0g4",
"profile": {"id": "00g10ctakVI6XlTdk0g4",
"name": "Okta Admins Group",
"metaData": {"userAssignmentCount": 5
},
"_links": {"self": {"href": "https://myorg.okta.com/admin/group/00g10ctakVI6XlTdk0g4"
}
}
}
}
]
}
],
"_links": {"self": {"href": "https://myorg.okta.com/governance/api/v1/resource-owners?limit=20&filter=parentResourceOrn eq \"orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ\""
}
},
"metadata": {"total": 10
}
}

Update a resource owner
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.manage
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.manage
okta.users.read
okta.groups.read

Updates a resource owner.

Request

Request Body schema: application/json
required

required	Array of objects [ 1 .. 5 ] items
resourceOrn required	string <okta-resource-orn> The ID of the resource in ORN format. The resource can be an app, an entitlement value, or an entitlement bundle. See supported resources.

Responses

204

Resource owners success patch response

400

A request failed validation

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

patch/governance/api/v1/resource-owners

Request samples

application/json

{"resourceOrn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6",
"data": [{"op": "REMOVE",
"path": "/principalOrn",
"value": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u20sfroCwbHQO4a0g"
},
{"op": "REMOVE",
"path": "/principalOrn",
"value": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g"
}
]
}

Response samples

application/json

{"errorCode": "string",
"errorId": "string",
"errorSummary": "string",
"errorLink": "string",
"errorCauses": [{"errorSummary": "string",
"reason": "string",
"location": "string",
"locationType": "string",
"domain": "string"
}
]
}

List all resources without owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.read
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.read

Lists all resources without assigned owners for an app (the parent resource).

For this request, you must specifiy the filter query parameter with a parentResourceOrn filter expression. This method returns all the resources for an app, such as entitlements or entitlement bundles, that don't have owners assigned.

Request

query Parameters

after	string The pagination cursor that points to the last record of the previous request. Example: after=00u68w6vzKLultXS97g6
filter required	string <scim-filter> A filter expression that returns entries based on the following properties and supported operators: `parentResourceOrn`: supports `eq` (required) `resource.type`: supports `eq` `resource.profile.`: supports `sw` and `co` (both `parentResourceOrn` and `resource.type` filters are required for `resource.profile.` filtering) Note: Query parameter percent encoding is required. See Special characters. Examples: Filter by resource type filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles" Filter by the resource name for a specified resource type, starting with the provided prefix filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles" AND resource.profile.name sw "License" Filter by the resource name for a specified resource type that contains the provided substring filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles" AND resource.profile.name co "License" Filter by resource type and parent ID filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-values AND resource.profile.parent.id eq "esp2lr1lavoGDYw5U8g6" Filter by the resource name for a specified resource type, starting with the provided prefix and parent ID filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-values" AND resource.profile.parent.id eq "esp2lr1lavoGDYw5U8g6" AND resource.profile.name sw "License" Filter by the resource name for a specified resource type that contains the provided substring and parent ID filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-values" AND resource.profile.parent.id eq "esp2lr1lavoGDYw5U8g6" AND resource.profile.name co "License"
limit	integer [ 1 .. 200 ] Default: 20 The maximum number of records returned in a response

Responses

200

Resource owners catalog resources success response

400

A request failed validation

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

get/governance/api/v1/resource-owners/catalog/resources

Request samples

Response samples

application/json

{"parentResourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ",
"data": [{"id": "enbogpaj3XUzcM62u1d6",
"type": "entitlement-bundles",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6",
"profile": {"id": "enbogpaj3XUzcM62u1d6",
"name": "Github admin bundle",
"description": "Github bundle for administrative access"
}
},
{"id": "enb1spaj3XUzcM62u1d6",
"type": "entitlement-bundles",
"orn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enb1spaj3XUzcM62u1d6",
"profile": {"id": "enb1spaj3XUzcM62u1d6",
"name": "Github sub bundle",
"description": "Github sub for administrative access"
}
}
],
"_links": {"self": {"href": "https://myorg.okta.com/governance/api/v1/resource-owners/catalog/resources?limit=20&filter=parentResourceOrn eq \"orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ\" AND resource.type eq \"entitlement-bundles\""
}
}
}

Social
CONTACT & LEGAL
MORE INFORMATION
okta.com
Products, case studies, resources
Help Center
Knowledgebase, roadmaps, and more
Trust
System status, security, compliance

Resource Owners

Configure the resource ownersBetaOAuth 2.0 scopes: okta.governance.resourceOwner.manageAdmin roles: SUPER_ADMINPermissions: okta.apps.manageokta.users.readokta.groups.read

Request Body schema: application/jsonrequired

List all resources with ownersBetaOAuth 2.0 scopes: okta.governance.resourceOwner.readAdmin roles: SUPER_ADMINPermissions: okta.apps.readokta.users.readokta.groups.read

query Parameters

Update a resource ownerBetaOAuth 2.0 scopes: okta.governance.resourceOwner.manageAdmin roles: SUPER_ADMINPermissions: okta.apps.manageokta.users.readokta.groups.read

Request Body schema: application/jsonrequired

List all resources without ownersBetaOAuth 2.0 scopes: okta.governance.resourceOwner.readAdmin roles: SUPER_ADMINPermissions: okta.apps.read

query Parameters

Configure the resource owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.manage
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.manage
okta.users.read
okta.groups.read

Request Body schema: application/json
required

List all resources with owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.read
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.read
okta.users.read
okta.groups.read

Update a resource owner
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.manage
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.manage
okta.users.read
okta.groups.read

Request Body schema: application/json
required

List all resources without owners
Beta
OAuth 2.0 scopes:
okta.governance.resourceOwner.read
Admin roles:
SUPER_ADMIN
Permissions:
okta.apps.read