Policies

The Okta Policy API enables an Administrator to perform Policy and Policy Rule operations. The Policy framework is used by Okta to control Rules and settings that govern, among other things, user session lifetime, whether multi-factor authentication is required when logging in, what MFA factors may be employed, password complexity requirements, what types of self-service operations are permitted under various circumstances, and what identity provider to route users to.

Policy settings for a particular Policy type, such as Sign On Policy, consist of one or more Policy objects, each of which contains one or more Policy Rules. Policies and Rules contain conditions that determine whether they are applicable to a particular user at a particular time.

List all Policies
OAuth 2.0: okta.policies.read

Lists all policies with the specified type

Request
query Parameters
type
required
string

Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK. The POST_AUTH_SESSION and ENTITY_RISK policy types are in . Contact your Okta account team to enable these features.

Enum: "OKTA_SIGN_ON" "PASSWORD" "MFA_ENROLL" "IDP_DISCOVERY" "ACCESS_POLICY" "PROFILE_ENROLLMENT" "POST_AUTH_SESSION" "ENTITY_RISK"
status
string

Refines the query by the status of the policy - ACTIVE or INACTIVE

q
string

Refines the query by policy name prefix (startWith method) passed in as q=string

expand
string
Default: ""
sortBy
string

Refines the query by sorting on the policy name in ascending order

limit
string

Defines the number of policies returned, see Pagination

resourceId
string

Reference to the associated authorization server

after
string

End page cursor for pagination, see Pagination

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/policies
Request samples 
Response samples 
application/json
[
  • {
    • "created": "Assigned",
    • "description": null,
    • "id": "Assigned",
    • "lastUpdated": "Assigned",
    • "name": "string",
    • "priority": "Last / Lowest Priority, for example `1`",
    • "status": "ACTIVE",
    • "system": false,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      }
    }
]
Create a Policy
OAuth 2.0: okta.policies.manage
Creates a policy. There are many types of policies that you can create. See Policies for an overview of the types of policies available and then links to more indepth information.


Request 
query Parameters
activate
boolean
 Default:  true
This query parameter is only valid for Classic Engine orgs.


 
Request Body schema: application/json
required
name
required
string
Name of the Policy


 
type
required
string (PolicyType) 
All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. 
Creating or replacing a policy with the IDP_DISCOVERY type isn't supported. The following policy types are available with
Identity Engine: ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK. The POST_AUTH_SESSION, and ENTITY_RISK 
policy types are in . Contact your Okta account team to enable these features.


 
description
string
 Default:  null
Description of the Policy


 
priority
integer
 Default:  "Last / Lowest Priority, for example `1`"
Specifies the order in which this Policy is evaluated in relation to the other policies


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the Policy


 
conditions
string or null
 Default:  null
Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/policies
Request samples 
application/json
{
  • "description": null,
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "conditions": null
}
Response samples 
application/json
{
  • "created": "Assigned",
  • "description": null,
  • "id": "Assigned",
  • "lastUpdated": "Assigned",
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "_embedded": {
    • "property1": { },
    • "property2": { }
    },
  • "_links": {
    • "activate": {
      },
    • "deactivate": {
      },
    • "mappings": {
      },
    • "rules": {
      },
    • "self": {
      }
    },
  • "conditions": null
}
Create a Policy Simulation
Identity Engine
OAuth 2.0: okta.policies.read
Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration.
The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow.


Request 
query Parameters
expand
string
Use expand=EVALUATED to include a list of evaluated but not matched policies and policy rules. Use expand=RULE to include details about why a rule condition wasn't matched.


 
 Example:  expand=EVALUATED
Request Body schema: application/json
required
 Array 
appInstance
required
string
The application instance ID for a simulate operation


 
object (PolicyContext) 
 
required
object
The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both.


 
required
object
An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both.


 
object
 
ip
string
The network rule condition, zone, or IP address


 
object
The risk rule condition level


 
object
The zone ID under the network rule condition.


 
policyTypes
Array of strings (PolicyTypeSimulation) 
Supported policy types for a simulate operation. The default value, null, returns all types.


Items Enum: "ACCESS_POLICY" "MFA_ENROLL" "OKTA_SIGN_ON" "PROFILE_ENROLLMENT"  
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/simulate
Request samples 
application/json
Simulate policy request body


{
  • "policyType": [
    • "OKTA_SIGN_ON",
    • "MFA_ENROLL"
    ],
  • "appInstance": "0oa4eroj3nYCIJIW70g7",
  • "policyContext": {
    • "groups": {
      },
    • "risk": {
      },
    • "zones": {
      },
    • "device": {
      }
    }
}
Response samples 
application/json
Simulate policy response body


{
  • "evaluation": [
    • {
      },
    • {
      },
    • {
      },
    • {
      }
    ]
}
Retrieve a Policy
OAuth 2.0: okta.policies.read
Retrieves a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
expand
string
 Default:  ""
 
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "created": "Assigned",
  • "description": null,
  • "id": "Assigned",
  • "lastUpdated": "Assigned",
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "_embedded": {
    • "property1": { },
    • "property2": { }
    },
  • "_links": {
    • "activate": {
      },
    • "deactivate": {
      },
    • "mappings": {
      },
    • "rules": {
      },
    • "self": {
      }
    },
  • "conditions": null
}
Replace a Policy
OAuth 2.0: okta.policies.manage
Replaces the properties of a Policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
name
required
string
Name of the Policy


 
type
required
string (PolicyType) 
All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page. 
Creating or replacing a policy with the IDP_DISCOVERY type isn't supported. The following policy types are available with
Identity Engine: ACCESS_POLICY, PROFILE_ENROLLMENT, POST_AUTH_SESSION, and ENTITY_RISK. The POST_AUTH_SESSION, and ENTITY_RISK 
policy types are in . Contact your Okta account team to enable these features.


 
description
string
 Default:  null
Description of the Policy


 
priority
integer
 Default:  "Last / Lowest Priority, for example `1`"
Specifies the order in which this Policy is evaluated in relation to the other policies


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the Policy


 
conditions
string or null
 Default:  null
Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/policies/{policyId}
Request samples 
application/json
{
  • "description": null,
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "conditions": null
}
Response samples 
application/json
{
  • "created": "Assigned",
  • "description": null,
  • "id": "Assigned",
  • "lastUpdated": "Assigned",
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "_embedded": {
    • "property1": { },
    • "property2": { }
    },
  • "_links": {
    • "activate": {
      },
    • "deactivate": {
      },
    • "mappings": {
      },
    • "rules": {
      },
    • "self": {
      }
    },
  • "conditions": null
}
Delete a Policy
OAuth 2.0: okta.policies.manage
Deletes a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all Applications mapped to a Policy
OAuth 2.0: okta.policies.read
Deprecated
Lists all applications mapped to a policy identified by policyId




Note: Use List all resources mapped to a Policy to list all applications mapped to a policy.




Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/app
Request samples 
Response samples 
application/json
[
  • {
    • "accessibility": {
      },
    • "created": "2019-08-24T14:15:22Z",
    • "features": [
      ],
    • "id": "string",
    • "label": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "licensing": {
      },
    • "profile": { },
    • "signOnMode": "AUTO_LOGIN",
    • "status": "ACTIVE",
    • "visibility": {
      },
    • "_embedded": {
      },
    • "_links": {
      }
    }
]
Clone an existing Policy
Identity Engine
OAuth 2.0: okta.policies.manage
Clones an existing policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/clone
Request samples 
Response samples 
application/json
{
  • "created": "Assigned",
  • "description": null,
  • "id": "Assigned",
  • "lastUpdated": "Assigned",
  • "name": "string",
  • "priority": "Last / Lowest Priority, for example `1`",
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "_embedded": {
    • "property1": { },
    • "property2": { }
    },
  • "_links": {
    • "activate": {
      },
    • "deactivate": {
      },
    • "mappings": {
      },
    • "rules": {
      },
    • "self": {
      }
    },
  • "conditions": null
}
Activate a Policy
OAuth 2.0: okta.policies.manage
Activates a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Deactivate a Policy
OAuth 2.0: okta.policies.manage
Deactivates a policy


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all resources mapped to a Policy
OAuth 2.0: okta.policies.read
Lists all resources mapped to a Policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/mappings
Request samples 
Response samples 
application/json
[
  • {
    • "id": "string",
    • "_links": {
      }
    }
]
Map a resource to a Policy
OAuth 2.0: okta.policies.manage
Maps a resource to a Policy identified by policyId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
resourceId
string
 
resourceType
string (PolicyMappingResourceType) 
 Value: "APP"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/mappings
Request samples 
application/json
{
  • "resourceId": "string",
  • "resourceType": "APP"
}
Response samples 
application/json
{
  • "id": "string",
  • "_links": {
    • "self": {
      },
    • "application": {
      },
    • "policy": {
      }
    }
}
Retrieve a policy resource Mapping
OAuth 2.0: okta.policies.read
Retrieves a resource Mapping for a Policy identified by policyId and mappingId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
mappingId
required
string
id of the policy resource Mapping


 
 Example:  maplr2rLjZ6NsGn1P0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/mappings/{mappingId}
Request samples 
Response samples 
application/json
{
  • "id": "string",
  • "_links": {
    • "self": {
      },
    • "application": {
      },
    • "policy": {
      }
    }
}
Delete a policy resource Mapping
OAuth 2.0: okta.policies.manage
Deletes the resource Mapping for a Policy identified by  policyId and mappingId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
mappingId
required
string
id of the policy resource Mapping


 
 Example:  maplr2rLjZ6NsGn1P0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}/mappings/{mappingId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all Policy Rules
OAuth 2.0: okta.policies.read
Lists all policy rules


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
limit
string
Defines the number of policy rules returned. See Pagination.


 
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/rules
Request samples 
Response samples 
application/json
List all policy rules response (Sign-on policy)


[
  • {
    • "id": "0prh1sd28q5sXGW08697",
    • "status": "ACTIVE",
    • "name": "Test Sign-on policy",
    • "priority": 0,
    • "created": "2024-04-25T17:35:02.000Z",
    • "lastUpdated": "2024-04-25T17:35:02.000Z",
    • "system": false,
    • "conditions": {
      },
    • "actions": {
      },
    • "_links": {},
    • "type": "SIGN_ON"
    }
]
Create a Policy Rule
OAuth 2.0: okta.policies.manage
Creates a policy rule




Note: You can't create additional rules for the PROFILE_ENROLLMENT or POST_AUTH_SESSION policies.




Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
query Parameters
limit
string
Defines the number of policy rules returned. See Pagination.


 
activate
boolean
 Default:  true
Set this parameter to false to create an INACTIVE rule.


 
Request Body schema: application/json
required
id
string
Identifier for the rule


 
name
string
Name of the rule


 
priority
integer
Priority of the rule


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the Policy Rule (system=true). You can't delete Policy Rules that have system set to true.


 
type
string (PolicyRuleType) 
Rule type


 
object (AccessPolicyRuleActions) 
 
object (AccessPolicyRuleApplicationSignOn) 
 
access
string (AccessPolicyRuleApplicationSignOnAccess) 
 Enum: "ALLOW" "DENY"  
object (VerificationMethod) 
Describes the method for verifying the user. The supported method types are ASSURANCE and AUTH_METHOD_CHAIN.


  The method type AUTH_METHOD_CHAIN is an Early Access (Self-Service) feature. You can 
enable the feature for your org from the Settings > Features page in the Admin Console.


 
object (AccessPolicyRuleConditions) 
 
object (DeviceAccessPolicyRuleCondition) 
 Specifies the device condition to match on


 
object (DevicePolicyRuleConditionAssurance) 
 
managed
boolean
Indicates if the device is managed. A device is considered managed if it's part of a device management system.


 
registered
boolean
Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
When the managed property is passed, you must also include the registered property and set it to true.


 
object (AccessPolicyRuleCustomCondition) 
 
condition
required
string
expression to match


 
object (PolicyNetworkCondition) 
 
connection
string (PolicyNetworkConnection) 
Network selection mode


 Enum: "ANYWHERE" "ZONE"  
exclude
Array of strings
The zones to exclude. Required only if connection data type is ZONE


 
include
Array of strings
The zones to include. Required only if connection data type is ZONE


 
object (PolicyPeopleCondition) 
Identifies Users and Groups that are used together


 
required
object (GroupCondition) 
Specifies a set of Groups whose Users are to be included or excluded


 
required
object (UserCondition) 
Specifies a set of Users to be included or excluded


 
object (PlatformPolicyRuleCondition) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
object (RiskScorePolicyRuleCondition) 
Specifies a particular level of risk to match on


 
level
required
string
The level to match


 Enum: "ANY" "LOW" "MEDIUM" "HIGH"  
object (UserTypeCondition) 
 Specifies which User Types to include and/or exclude


 
exclude
required
Array of strings
The User Types to exclude


 
include
required
Array of strings
The User Types to include


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules
Request samples 
application/json
This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question.


{
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Response samples 
application/json
{}
Retrieve a Policy Rule
OAuth 2.0: okta.policies.read
Retrieves a policy rule


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the Policy Rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
Response samples 
application/json
This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question.


{
  • "id": "ruleId",
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Replace a Policy Rule
OAuth 2.0: okta.policies.manage
Replaces the properties for a Policy Rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the Policy Rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Request Body schema: application/json
required
id
string
Identifier for the rule


 
name
string
Name of the rule


 
priority
integer
Priority of the rule


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 Default:  false
Specifies whether Okta created the Policy Rule (system=true). You can't delete Policy Rules that have system set to true.


 
type
string (PolicyRuleType) 
Rule type


 
object (AccessPolicyRuleActions) 
 
object (AccessPolicyRuleApplicationSignOn) 
 
access
string (AccessPolicyRuleApplicationSignOnAccess) 
 Enum: "ALLOW" "DENY"  
object (VerificationMethod) 
Describes the method for verifying the user. The supported method types are ASSURANCE and AUTH_METHOD_CHAIN.


  The method type AUTH_METHOD_CHAIN is an Early Access (Self-Service) feature. You can 
enable the feature for your org from the Settings > Features page in the Admin Console.


 
object (AccessPolicyRuleConditions) 
 
object (DeviceAccessPolicyRuleCondition) 
 Specifies the device condition to match on


 
object (DevicePolicyRuleConditionAssurance) 
 
managed
boolean
Indicates if the device is managed. A device is considered managed if it's part of a device management system.


 
registered
boolean
Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
When the managed property is passed, you must also include the registered property and set it to true.


 
object (AccessPolicyRuleCustomCondition) 
 
condition
required
string
expression to match


 
object (PolicyNetworkCondition) 
 
connection
string (PolicyNetworkConnection) 
Network selection mode


 Enum: "ANYWHERE" "ZONE"  
exclude
Array of strings
The zones to exclude. Required only if connection data type is ZONE


 
include
Array of strings
The zones to include. Required only if connection data type is ZONE


 
object (PolicyPeopleCondition) 
Identifies Users and Groups that are used together


 
required
object (GroupCondition) 
Specifies a set of Groups whose Users are to be included or excluded


 
required
object (UserCondition) 
Specifies a set of Users to be included or excluded


 
object (PlatformPolicyRuleCondition) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
Array of objects (PlatformConditionEvaluatorPlatform) 
 
object (RiskScorePolicyRuleCondition) 
Specifies a particular level of risk to match on


 
level
required
string
The level to match


 Enum: "ANY" "LOW" "MEDIUM" "HIGH"  
object (UserTypeCondition) 
 Specifies which User Types to include and/or exclude


 
exclude
required
Array of strings
The User Types to exclude


 
include
required
Array of strings
The User Types to include


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
application/json
This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question.


{
  • "id": "ruleId",
  • "name": "SSPR Rule",
  • "priority": 1,
  • "status": "ACTIVE",
  • "conditions": {
    • "people": {
      },
    • "network": {
      }
    },
  • "actions": {
    • "passwordChange": {
      },
    • "selfServicePasswordReset": {
      },
    • "selfServiceUnlock": {
      }
    },
  • "system": false,
  • "type": "PASSWORD"
}
Response samples 
application/json
{}
Delete a Policy Rule
OAuth 2.0: okta.policies.manage
Deletes a Policy Rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the Policy Rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/policies/{policyId}/rules/{ruleId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate a Policy Rule
OAuth 2.0: okta.policies.manage
Activates a Policy Rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the Policy Rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Deactivate a Policy Rule
OAuth 2.0: okta.policies.manage
Deactivates a Policy Rule identified by policyId and ruleId


Request 
path Parameters
policyId
required
string
id of the Policy


 
 Example:  00plrilJ7jZ66Gn0X0g3
ruleId
required
string
id of the Policy Rule


 
 Example:  ruld3hJ7jZh4fn0st0g3
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}