Risk Rules

Risk rules allow you to define criteria for granted principal access that are a risk to your org.

Risk rules are used to support separation of duties (SOD) in Access Certifcations and Access Requests. See Separation of duties product documentation.

Create a risk rule
Beta
Admin roles:
  • Application Administrator
OAuth 2.0:
  • okta.governance.riskRule.manage

Creates a risk rule

Request
Request Body schema: application/json
required
required
object

Conflict criteria for the risk rule

name
required
string [ 1 .. 255 ] characters

Name of the resource risk rule

required
Array of objects <= 1 items

Resources that the risk rule applies to

type
required
string

Risk rule type

Value: "SEPARATION_OF_DUTIES"
description
string [ 1 .. 1000 ] characters

Description of the risk rule

notes
string [ 1 .. 1000 ] characters

Additional information about the risk rule

Responses
201

Risk rule success response

400

The response to add a rule with duplicate name.

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

post/governance/api/v1/risk-rules
Request samples
application/json
{
  • "name": "Process and Approve Payment",
  • "description": "Process and Approve Payment",
  • "type": "SEPARATION_OF_DUTIES",
  • "resources": [
    • {
      • "resourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"
      }
    ],
  • "conflictCriteria": {
    • "and": [
      • {
        },
      • {
        }
      ]
    }
}
Response samples
application/json
{
  • "id": "rulb0oNGTSWTBKOLGLNR",
  • "name": "Process and Approve Payment",
  • "description": "Process and Approve Payment",
  • "type": "SEPARATION_OF_DUTIES",
  • "status": "ACTIVE",
  • "resources": [
    • {
      • "resourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"
      }
    ],
  • "lastUpdated": "2022-05-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "created": "2022-05-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "conflictCriteria": {
    • "and": [
      • {
        },
      • {
        }
      ]
    },
  • "_links": {}
}

List all risk rules
Beta
Admin roles:
  • Application Administrator
OAuth 2.0:
  • okta.governance.riskRule.read

Lists all risk rules

Request
query Parameters
after
string

The pagination cursor that points to the last record of the previous request.

Example: after=00u68w6vzKLultXS97g6
filter
string <scim-filter>

A filter expression that returns entries based on the resourceOrn and name properties and supports the following operators:

  • eq operator for the resourceOrn property
  • sw operator for the name property

Note: Query parameter percent encoding is required. See Special characters.

Example: filter=resourceOrn%20eq%20%22orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:oidc:0oafxqCAJWWGELFTYASJ%22
limit
integer [ 1 .. 200 ]
Default: 20

The maximum number of records returned in a response

Responses
200

Risk rules retrieved successfully

400

A request failed validation

401

When authentication fails

403

When authorization fails

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

get/governance/api/v1/risk-rules
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "rulb0oNGTSWTBKOLGLNR",
      • "name": "Process and Approve Payment",
      • "description": "Process and Approve Payment",
      • "type": "SEPARATION_OF_DUTIES",
      • "status": "ACTIVE",
      • "resources": [
        ],
      • "lastUpdated": "2022-05-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLGLNR",
      • "created": "2022-05-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
      • "conflictCriteria": {
        },
      • "_links": {}
      }
    ],
  • "_links": {},
  • "metadata": {
    • "total": 10
    }
}
Retrieve a risk rule
Beta
Admin roles: 
  • Application Administrator
OAuth 2.0: 
  • okta.governance.riskRule.read
Retrieves a risk rule


Request 
path Parameters
ruleId
required
string
The id of the risk rule


 
Responses 
200
Risk rule success response


400
A request failed validation


401
When authentication fails


403
When authorization fails


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


get/governance/api/v1/risk-rules/{ruleId}
Request samples 
Response samples 
application/json
{
  • "id": "rulb0oNGTSWTBKOLGLNR",
  • "name": "Process and Approve Payment",
  • "description": "Process and Approve Payment",
  • "type": "SEPARATION_OF_DUTIES",
  • "status": "ACTIVE",
  • "resources": [
    • {
      • "resourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"
      }
    ],
  • "lastUpdated": "2022-05-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "created": "2022-05-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "conflictCriteria": {
    • "and": [
      • {
        },
      • {
        }
      ]
    },
  • "_links": {}
}
Replace a risk rule
Beta
Admin roles: 
  • Application Administrator
OAuth 2.0: 
  • okta.governance.riskRule.manage
Replaces a risk rule


Request 
path Parameters
ruleId
required
string
The id of the risk rule


 
Request Body schema: application/json
required
The updatable attributes of a risk rule


id
required
string  non-empty 
Unique identifier for the object


 
object or null
Conflict criteria for the risk rule


 
description
string or null  <= 1000 characters 
Description of the risk rule


 
name
string or null  [ 1 .. 255 ] characters 
Name of the resource risk rule


 
notes
string or null  <= 1000 characters 
Additional information about the rule


 
Responses 
200
Risk rule success response


400
A request failed validation


401
When authentication fails


403
When authorization fails


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


put/governance/api/v1/risk-rules/{ruleId}
Request samples 
application/json
{
  • "id": "rulb0oNGTSWTBKOLGLNR",
  • "name": "Process and Approve Payment",
  • "notes": "Process and Approve Payment note",
  • "description": "Process and Approve Payment",
  • "conflictCriteria": {
    • "and": [
      • {
        },
      • {
        }
      ]
    }
}
Response samples 
application/json
{
  • "id": "rulb0oNGTSWTBKOLGLNR",
  • "name": "Process and Approve Payment",
  • "description": "Process and Approve Payment",
  • "type": "SEPARATION_OF_DUTIES",
  • "status": "ACTIVE",
  • "resources": [
    • {
      • "resourceOrn": "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"
      }
    ],
  • "lastUpdated": "2022-05-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "created": "2022-05-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "conflictCriteria": {
    • "and": [
      • {
        },
      • {
        }
      ]
    },
  • "_links": {}
}
Delete a risk rule
Beta
Admin roles: 
  • Application Administrator
OAuth 2.0: 
  • okta.governance.riskRule.manage
Deletes a risk rule


Request 
path Parameters
ruleId
required
string
The id of the risk rule


 
Responses 
204
Risk rule deleted successfully


400
A request failed validation


401
When authentication fails


403
When authorization fails


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


delete/governance/api/v1/risk-rules/{ruleId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "string",
  • "errorId": "string",
  • "errorSummary": "string",
  • "errorLink": "string",
  • "errorCauses": [
    • {
      • "errorSummary": "string",
      • "reason": "string",
      • "location": "string",
      • "locationType": "string",
      • "domain": "string"
      }
    ]
}