Policies

The Okta Policy API enables an administrator to perform policy and policy rule operations. The policy framework is used by Okta to control rules and settings that govern many things:

  • user session lifetime
  • whether multi-factor authentication is required when signing in
  • what MFA factors may be employed
  • password complexity requirements
  • what types of self-service operations are permitted under various circumstances
  • which identity provider to route users to

Policy settings for a particular policy type, such as SIGN_ON policy, consist of one or more policy objects, each of which contains one or more policy rules. Policies and rules contain conditions that determine whether they are applicable to a particular user at a particular time.

See:

Policy evaluation

When a policy needs to be retrieved for a particular user, for example when the user attempts to sign in to Okta, or when the user initiates a self-service operation, then a policy evaluation takes place. During policy evaluation each policy of the appropriate type is considered in turn, in the order indicated by the policy priority.

Each of the conditions associated with the policy is evaluated. If one or more of the conditions can't be met, then the next policy in the list is considered. If the conditions can be met, then each of the rules associated with the policy is considered in turn, in the order specified by the rule priority. Each of the conditions associated with a given rule is evaluated. If all of the conditions associated with a rule are met, then the settings contained in the rule, and in the associated policy, are applied to the user. If none of the policy rules have conditions that can be met, then the next policy in the list is considered.

Rule priority

Rules have a priority that govern the order that they are considered during evaluation. The highest priority rule has a priority of 1. For example, if a particular policy had two rules:

  • Rule A has priority 1 and applies to LDAP API scenarios.
  • Rule B has priority 2 and applies to ANYWHERE (network connection) scenarios.

If a request came in from the LDAP endpoint, the action in rule A is taken, and rule B isn't evaluated. This occurs because even though requests coming from anywhere match the ANYWHERE location condition of rule B, rule A has higher priority and is evaluated first.

Default rules

Only the default policy contains a default rule. In Identity Engine, you can't delete default rules, but can edit them, except for:

  • The properties maxSessionLifetimeMinutes and usePersistentCookie of the default global session policy's default rule, which are read-only.
  • The default rules on the authenticator enrollment policy and the identity provider routing, which are also read-only.

Policy limitations

Different policy types control settings for different operations. All policy types share a common framework, message structure, and API, but have different policy settings and rule data. Keep in mind the following policy-specific limitations.

Authentication policy

The authentication policy has the following limitations:

  • You can have a maximum of 5000 authentication policies in an org. There is a max limit of 100 rules allowed per policy. When you create an authentication policy, you automatically also create a default policy rule with the lowest priority of 99. The highest priority that you can set an authentication policy rule to is 0.
  • When you merge duplicate authentication policies, policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email.

IdP discovery policy

The IdP discovery policy has the following limitations:

  • You can add up to 10 providers to a single idp policy action.
  • You can define only one provider for the following IdP types: AgentlessDSSO, IWA, X509.
  • You can't define a provider if idpSelectionType is DYNAMIC.
  • You can't define a providerExpression if idpSelectionType is SPECIFIC.
  • If a user identifier condition is defined together with an OKTA provider, sign-in requests are handled by Okta exclusively.

Password policy

The password policy is enforced only for Okta and AD-sourced users. For AD-sourced users, ensure that your Active Directory policies don't conflict with the Okta policies.

User profile policy

The user profile policy has the following limitations:

  • You can't update or delete the required base attributes in the default user profile: email, firstName, or lastName.
  • You can have a maximum of 500 user profile policies in an org. A user profile policy can only have one rule associated with it. Adding more rules isn't allowed.

The default rule is required and is always the last rule in the priority order. If you add rules to the default policy, they have a higher priority than the default rule. The system object determines whether a rule is created by a system or by a user. The default rule is the only rule that has this attribute. See Configure multiple identifiers.

List all policies
OAuth 2.0: okta.policies.read

Lists all policies with the specified type

Request
query Parameters
type
required
string

Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK.

Enum: "OKTA_SIGN_ON" "PASSWORD" "MFA_ENROLL" "IDP_DISCOVERY" "ACCESS_POLICY" "PROFILE_ENROLLMENT" "POST_AUTH_SESSION" "ENTITY_RISK"
status
string

Refines the query by the status of the policy - ACTIVE or INACTIVE

q
string

Refines the query by policy name prefix (startWith method) passed in as q=string

expand
string
Default: ""
sortBy
string

Refines the query by sorting on the policy name in ascending order

limit
string

Defines the number of policies returned, see Pagination

resourceId
string

Reference to the associated authorization server

after
string

End page cursor for pagination, see Pagination

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/policies
Request samples 
Response samples 
application/json
{
  • "type": "PASSWORD",
  • "id": "policyId",
  • "status": "ACTIVE",
  • "name": "Policy name",
  • "description": "Policy description",
  • "priority": 1,
  • "system": true,
  • "created": "createdDate",
  • "lastUpdated": "lastUpdated",
  • "conditions": {
    • "people": {
      },
    • "authProvider": {
      }
    },
  • "settings": {
    • "password": {
      },
    • "recovery": {
      },
    • "delegation": {
      }
    },
  • "_links": {}
}
Create a policy
OAuth 2.0: okta.policies.manage
Creates a policy. There are many types of policies that you can create. See Policies for an overview of the types of policies available and links to more indepth information.


Request 
query Parameters
activate
boolean
 Default:  true
This query parameter is only valid for Classic Engine orgs.


 
Request Body schema: application/json
required
name
required
string
Name of the policy


 
type
required
string (PolicyType) 
All Okta orgs contain only one IdP Discovery policy with an immutable default rule routing to your org's sign-in page, one Entity Risk policy, and one Post Auth Session policy.
Creating or replacing a policy with the IDP_DISCOVERY type, the ENTITY_RISK type, or the POST_AUTH_SESSION type isn't supported. 
The following policy types are available with Identity Engine: ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK.


 
description
string
 Default:  null
Description of the policy


 
priority
integer
 Default:  "Last / Lowest Priority, for example `1`"
Specifies the order in which this policy is evaluated in relation to the other policies


 
status
string
Whether or not the policy is active. Use the activate query parameter to set the status of a policy.


 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the policy


 
conditions
string or null
 Default:  null
Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/policies
Request samples 
application/json
{
  • "description": null,
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "conditions": null,
  • "_embedded": {
    • "resourceType": "string",
    • "property1": { },
    • "property2": { }
    }
}
Response samples 
application/json
{
  • "type": "PASSWORD",
  • "id": "policyId",
  • "status": "ACTIVE",
  • "name": "Policy name",
  • "description": "Policy description",
  • "priority": 1,
  • "system": true,
  • "created": "createdDate",
  • "lastUpdated": "lastUpdated",
  • "conditions": {
    • "people": {
      },
    • "authProvider": {
      }
    },
  • "settings": {
    • "password": {
      },
    • "recovery": {
      },
    • "delegation": {
      }
    },
  • "_links": {}
}
Create a policy simulation
Identity Engine
OAuth 2.0: okta.policies.read
Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration.
The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow.


Request 
query Parameters
expand
string
Use expand=EVALUATED to include a list of evaluated but not matched policies and policy rules. Use expand=RULE to include details about why a rule condition wasn't matched.


 
 Example:  expand=EVALUATED
Request Body schema: application/json
required
 Array 
appInstance
required
string
The application instance ID for a simulate operation


 
object (PolicyContext) 
 
required
object
The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both.


 
required
object
An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both.


 
object
 
ip
string
The network rule condition, zone, or IP address


 
object
The risk rule condition level


 
object
The zone ID under the network rule condition.


 
policyTypes
Array of strings (PolicyTypeSimulation) 
Supported policy types for a simulate operation. The default value, null, returns all types.


Items Enum: "ACCESS_POLICY" "MFA_ENROLL" "OKTA_SIGN_ON" "PROFILE_ENROLLMENT"  
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/simulate
Request samples 
application/json
{
  • "policyType": [
    • "OKTA_SIGN_ON",
    • "MFA_ENROLL"
    ],
  • "appInstance": "0oa4eroj3nYCIJIW70g7",
  • "policyContext": {
    • "groups": {
      },
    • "risk": {
      },
    • "zones": {
      },
    • "device": {
      }
    }
}
Response samples 
application/json
{
  • "evaluation": [
    • {
      },
    • {
      },
    • {
      },
    • {
      }
    ]
}
Retrieve a policy
OAuth 2.0: okta.policies.read
Retrieves a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
expand
string
 Default:  ""
 
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "type": "PASSWORD",
  • "id": "policyId",
  • "status": "ACTIVE",
  • "name": "Policy name",
  • "description": "Policy description",
  • "priority": 1,
  • "system": true,
  • "created": "createdDate",
  • "lastUpdated": "lastUpdated",
  • "conditions": {
    • "people": {
      },
    • "authProvider": {
      }
    },
  • "settings": {
    • "password": {
      },
    • "recovery": {
      },
    • "delegation": {
      }
    },
  • "_links": {}
}
Replace a policy
OAuth 2.0: okta.policies.manage
Replaces the properties of a policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
name
required
string
Name of the policy


 
type
required
string (PolicyType) 
All Okta orgs contain only one IdP Discovery policy with an immutable default rule routing to your org's sign-in page, one Entity Risk policy, and one Post Auth Session policy.
Creating or replacing a policy with the IDP_DISCOVERY type, the ENTITY_RISK type, or the POST_AUTH_SESSION type isn't supported. 
The following policy types are available with Identity Engine: ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK.


 
description
string
 Default:  null
Description of the policy


 
priority
integer
 Default:  "Last / Lowest Priority, for example `1`"
Specifies the order in which this policy is evaluated in relation to the other policies


 
status
string
Whether or not the policy is active. Use the activate query parameter to set the status of a policy.


 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the policy


 
conditions
string or null
 Default:  null
Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/policies/{policyId}
Request samples 
application/json
{
  • "description": null,
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "conditions": null,
  • "_embedded": {
    • "resourceType": "string",
    • "property1": { },
    • "property2": { }
    }
}
Response samples 
application/json
{
  • "type": "PASSWORD",
  • "id": "policyId",
  • "status": "ACTIVE",
  • "name": "Policy name",
  • "description": "Policy description",
  • "priority": 1,
  • "system": true,
  • "created": "createdDate",
  • "lastUpdated": "lastUpdated",
  • "conditions": {
    • "people": {
      },
    • "authProvider": {
      }
    },
  • "settings": {
    • "password": {
      },
    • "recovery": {
      },
    • "delegation": {
      }
    },
  • "_links": {}
}
Delete a policy
OAuth 2.0: okta.policies.manage
Deletes a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all apps mapped to a policy
OAuth 2.0: okta.policies.read
Deprecated
Lists all applications mapped to a policy identified by policyId




Note: Use List all resources mapped to a Policy to list all applications mapped to a policy.




Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/app
Request samples 
Response samples 
application/json
[
  • {
    • "accessibility": {
      },
    • "created": "2019-08-24T14:15:22Z",
    • "features": [
      ],
    • "id": "string",
    • "label": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "licensing": {
      },
    • "orn": "string",
    • "profile": { },
    • "signOnMode": "AUTO_LOGIN",
    • "status": "ACTIVE",
    • "visibility": {
      },
    • "_embedded": {
      },
    • "_links": {
      }
    }
]
Clone an existing policy
Identity Engine
OAuth 2.0: okta.policies.manage
Clones an existing policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/clone
Request samples 
Response samples 
application/json
{
  • "type": "PASSWORD",
  • "id": "policyId",
  • "status": "ACTIVE",
  • "name": "Policy name",
  • "description": "Policy description",
  • "priority": 1,
  • "system": true,
  • "created": "createdDate",
  • "lastUpdated": "lastUpdated",
  • "conditions": {
    • "people": {
      },
    • "authProvider": {
      }
    },
  • "settings": {
    • "password": {
      },
    • "recovery": {
      },
    • "delegation": {
      }
    },
  • "_links": {}
}
Activate a policy
OAuth 2.0: okta.policies.manage
Activates a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Deactivate a policy
OAuth 2.0: okta.policies.manage
Deactivates a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all resources mapped to a policy
OAuth 2.0: okta.policies.read
Lists all resources mapped to a policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/mappings
Request samples 
Response samples 
application/json
[]
Map a resource to a policy
OAuth 2.0: okta.policies.manage
Maps a resource to a policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
resourceId
string
 
resourceType
string (PolicyMappingResourceType) 
 Value: "APP"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/mappings
Request samples 
application/json
{
  • "resourceId": "string",
  • "resourceType": "APP"
}
Response samples 
application/json
{}
Retrieve a policy resource mapping
OAuth 2.0: okta.policies.read
Retrieves a resource mapping for a policy identified by policyId and mappingId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
mappingId
required
string
id of the policy resource Mapping


 
 Example:  maplr2rLjZ6NsGn1P0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/mappings/{mappingId}
Request samples 
Response samples 
application/json
{}
Delete a policy resource mapping
OAuth 2.0: okta.policies.manage
Deletes the resource mapping for a policy identified by policyId and mappingId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
mappingId
required
string
id of the policy resource Mapping


 
 Example:  maplr2rLjZ6NsGn1P0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}/mappings/{mappingId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all policy rules
OAuth 2.0: okta.policies.read
Lists all policy rules


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
limit
string
Defines the number of policy rules returned. See Pagination.


 
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/rules
Request samples 
Response samples 
application/json
[
  • {
    • "id": "0prh1sd28q5sXGW08697",
    • "status": "ACTIVE",
    • "name": "Test rule",
    • "priority": 0,
    • "created": "2024-04-25T17:35:02.000Z",
    • "lastUpdated": "2024-04-25T17:35:02.000Z",
    • "system": false,
    • "conditions": {
      },
    • "actions": {
      },
    • "_links": {},
    • "type": "SIGN_ON"
    }
]
Create a policy rule
OAuth 2.0: okta.policies.manage
Creates a policy rule




Note: You can't create additional rules for the PROFILE_ENROLLMENT or POST_AUTH_SESSION policies.




Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
limit
string
Defines the number of policy rules returned. See Pagination.


 
activate
boolean
 Default:  true
Set this parameter to false to create an INACTIVE rule.


 
Request Body schema: application/json
required
name
string
Name of the rule


 
priority
integer or null
Priority of the rule


 
status
string
Whether or not the rule is active. Use the activate query parameter to set the status of a rule.


 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the policy rule (system=true). You can't delete policy rules that have system set to true.


 
type
string (PolicyRuleType) 
Rule type


 
object (AccessPolicyRuleActions) 
Specifies actions to be taken, or operations that may be allowed, if the rule conditions are satisfied.


 
object (AccessPolicyRuleApplicationSignOn) 
Specifies the results when a user attempts to sign in


 
access
string (AccessPolicyRuleApplicationSignOnAccess) 
 Enum: "ALLOW" "DENY"  
object (VerificationMethod) 
Describes the method for verifying the user. The supported method types are ASSURANCE and AUTH_METHOD_CHAIN.


  The method type AUTH_METHOD_CHAIN is an Early Access (Self-Service) feature. You can 
enable the feature for your org from the Settings > Features page in the Admin Console.


 
object (AccessPolicyRuleConditions) 
Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions, as well as conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule.


 
object (DeviceAccessPolicyRuleCondition) 
 Specifies the device condition to match on


 
object (DevicePolicyRuleConditionAssurance) 
Specifies device assurance policies in the policy rule


 
managed
boolean
Indicates if the device is managed. A device is considered managed if it's part of a device management system.


 
registered
boolean
Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
When the managed property is passed, you must also include the registered property and set it to true.


 
object (AccessPolicyRuleCustomCondition) 
Specifies Okta Expression Language expressions


 
condition
required
string
expression to match


 
object (PolicyNetworkCondition) 
Specifies a network selection mode and a set of network zones to be included or excluded. If the connection parameter's data type is ZONE, one of the include or exclude arrays is required. Specific zone IDs to include or exclude are enumerated in the respective arrays.


 
connection
string (PolicyNetworkConnection) 
Network selection mode


 Enum: "ANYWHERE" "ZONE"  
exclude
Array of strings
The zones to exclude. Required only if connection data type is ZONE


 
include
Array of strings
The zones to include. Required only if connection data type is ZONE


 
object (PolicyPeopleCondition) 
Identifies users and groups that are used together


 
required
object (GroupCondition) 
Specifies a set of groups whose users are to be included or excluded


 
required
object (UserCondition) 
Specifies a set of users to be included or excluded


 
object (PlatformPolicyRuleCondition) 
Specifies a particular platform or device to match on


 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
object (RiskScorePolicyRuleCondition) 
Specifies a particular level of risk to match on


 
level
required
string
The level to match


 Enum: "ANY" "LOW" "MEDIUM" "HIGH"  
object (UserTypeCondition) 
 Specifies which user types to include and/or exclude


 
exclude
required
Array of strings
The user types to exclude


 
include
required
Array of strings
The user types to include


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules
Request samples 
application/json
{
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Response samples 
application/json
{}
Retrieve a policy rule
OAuth 2.0: okta.policies.read
Retrieves a policy rule


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the policy rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
Response samples 
application/json
{
  • "id": "ruleId",
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Replace a policy rule
OAuth 2.0: okta.policies.manage
Replaces the properties for a policy rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the policy rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Request Body schema: application/json
required
name
string
Name of the rule


 
priority
integer or null
Priority of the rule


 
status
string
Whether or not the rule is active. Use the activate query parameter to set the status of a rule.


 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the policy rule (system=true). You can't delete policy rules that have system set to true.


 
type
string (PolicyRuleType) 
Rule type


 
object (AccessPolicyRuleActions) 
Specifies actions to be taken, or operations that may be allowed, if the rule conditions are satisfied.


 
object (AccessPolicyRuleApplicationSignOn) 
Specifies the results when a user attempts to sign in


 
access
string (AccessPolicyRuleApplicationSignOnAccess) 
 Enum: "ALLOW" "DENY"  
object (VerificationMethod) 
Describes the method for verifying the user. The supported method types are ASSURANCE and AUTH_METHOD_CHAIN.


  The method type AUTH_METHOD_CHAIN is an Early Access (Self-Service) feature. You can 
enable the feature for your org from the Settings > Features page in the Admin Console.


 
object (AccessPolicyRuleConditions) 
Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions, as well as conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule.


 
object (DeviceAccessPolicyRuleCondition) 
 Specifies the device condition to match on


 
object (DevicePolicyRuleConditionAssurance) 
Specifies device assurance policies in the policy rule


 
managed
boolean
Indicates if the device is managed. A device is considered managed if it's part of a device management system.


 
registered
boolean
Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
When the managed property is passed, you must also include the registered property and set it to true.


 
object (AccessPolicyRuleCustomCondition) 
Specifies Okta Expression Language expressions


 
condition
required
string
expression to match


 
object (PolicyNetworkCondition) 
Specifies a network selection mode and a set of network zones to be included or excluded. If the connection parameter's data type is ZONE, one of the include or exclude arrays is required. Specific zone IDs to include or exclude are enumerated in the respective arrays.


 
connection
string (PolicyNetworkConnection) 
Network selection mode


 Enum: "ANYWHERE" "ZONE"  
exclude
Array of strings
The zones to exclude. Required only if connection data type is ZONE


 
include
Array of strings
The zones to include. Required only if connection data type is ZONE


 
object (PolicyPeopleCondition) 
Identifies users and groups that are used together


 
required
object (GroupCondition) 
Specifies a set of groups whose users are to be included or excluded


 
required
object (UserCondition) 
Specifies a set of users to be included or excluded


 
object (PlatformPolicyRuleCondition) 
Specifies a particular platform or device to match on


 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
object (RiskScorePolicyRuleCondition) 
Specifies a particular level of risk to match on


 
level
required
string
The level to match


 Enum: "ANY" "LOW" "MEDIUM" "HIGH"  
object (UserTypeCondition) 
 Specifies which user types to include and/or exclude


 
exclude
required
Array of strings
The user types to exclude


 
include
required
Array of strings
The user types to include


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
application/json
{
  • "id": "ruleId",
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Response samples 
application/json
{}
Delete a policy rule
OAuth 2.0: okta.policies.manage
Deletes a policy rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the policy rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate a policy rule
OAuth 2.0: okta.policies.manage
Activates a policy rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the policy rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Deactivate a policy rule
OAuth 2.0: okta.policies.manage
Deactivates a policy rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the policy rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}