Groups

An OPA Group is a collection of Users that share permissions and access to Resources.

List all Groups for a Team

Lists all Groups for your Team

This endpoint requires one of the following roles: pam_admin, resource_admin, delegated_resource_admin, security_admin.

SecuritybearerAuth

Request

path Parameters

team_name

required

string

The name of your Team

query Parameters

contains	string Only return results that include the specified value
count	integer <int32> The number of objects per page
descending	boolean The object order
id	string Only return results with the specified IDs
ignore	string Ignore Groups with the specified names. This is case sensitive.
include_deleted	boolean If `true`, include deleted Groups in the results
offset	string The offset value for pagination. The rel="next" and rel="prev" `Link` headers define the offset for subsequent or previous pages.
only_include_deleted	boolean If `true`, only return deleted Groups in the results
prev	boolean The direction of paging

Responses

200

get/v1/teams/{team_name}/groups

Request samples

Response samples

application/json

{"list": [{"id": "6783cefe-b243-4c59-a0a2-5839d2c873fb",
"name": "compsons",
"roles": ["pam_admin",
"resource_admin"
],
"deleted_at": "0001-01-01T00:00:00Z"
},
{"id": "b5a346c5-bafa-40eb-bb9f-401c0f57db36",
"name": "compsons",
"roles": ["pam_admin",
"resource_admin"
],
"deleted_at": "0001-01-01T00:00:00Z"
}
]
}

Create a Group

Creates a Group for your Team. Groups allow you to assign RBAC roles to users and manage user access to Resource Groups and Projects. To assign the delegated_resource_admin role, you need to add the Group to the delegated_resource_admin_groups list for a specific Resource Group. See Resource Groups.

This endpoint requires the following role: pam_admin.

SecuritybearerAuth

Request

path Parameters

team_name

required

string

The name of your Team

Request Body schema: application/json

name required	string [ 1 .. 255 ] characters The name of the Group
roles required	Array of strings (GroupCreateRole) The roles assigned to the Group Items Enum: "pam_admin" "resource_admin" "security_admin"

Responses

201

Created

post/v1/teams/{team_name}/groups

Request samples

application/json

{"deleted_at": null,
"id": "",
"name": "compsons",
"roles": ["pam_admin",
"resource_admin"
]
}

Response samples

application/json

{"deleted_at": "0001-01-01T00:00:00Z",
"id": "b5a346c5-bafa-40eb-bb9f-401c0f57db36",
"name": "compsons",
"roles": ["pam_admin",
"resource_admin"
]
}

Retrieve a Group

Retrieves a specified Group

This endpoint requires one of the following roles: pam_admin, resource_admin, delegated_resource_admin, security_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group

Responses

200

get/v1/teams/{team_name}/groups/{group_name}

Request samples

Response samples

application/json

{"deleted_at": "0001-01-01T00:00:00Z",
"id": "b5a346c5-bafa-40eb-bb9f-401c0f57db36",
"name": "compsons",
"roles": ["pam_admin",
"resource_admin"
]
}

Update a Group

Updates the access privileges of the specified Group. To assign the delegated_resource_admin role, you need to add the Group to the delegated_resource_admin_groups list for a specific Resource Group. See Resource Groups.

This endpoint requires the following role: pam_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group

Request Body schema: application/json
required

roles

required

Array of strings (GroupUpdateRole)

The roles assigned to the Group

Items Enum: "end_user" "pam_admin" "resource_admin" "security_admin"

Responses

204

No Content

put/v1/teams/{team_name}/groups/{group_name}

Request samples

application/json

{"roles": ["pam_admin",
"resource_admin"
]
}

Delete a Group from a Team

Removes a Group from your Team. This also removes the Group from any associated Projects.

This endpoint requires the following role: pam_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group

Responses

204

No Content

delete/v1/teams/{team_name}/groups/{group_name}

Request samples

List all Users for a Group

Lists all Users in a specified Group

This endpoint requires one of the following roles: pam_admin, resource_admin, delegated_resource_admin, security_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group

query Parameters

contains	string Only return results that include the specified value
count	integer <int32> The number of objects per page
descending	boolean The object order
offset	string The offset value for pagination. The rel="next" and rel="prev" `Link` headers define the offset for subsequent or previous pages.
prev	boolean The direction of paging
starts_with	string Only return Users with a name that begins with the specified value
status	string Only return Users with the specified status. Valid statuses: `ACTIVE`, `DISABLED`, and `DELETED`.
user_type	string Only return Users of the specified type. Valid types: `human` and `service`.

Responses

200

get/v1/teams/{team_name}/groups/{group_name}/users

Request samples

Response samples

application/json

{"list": [{"team_name": "william-faulkner",
"id": "c5cf4dfd-1726-45e3-a1c9-17598d59004d",
"name": "Benjy.Compson",
"status": "DISABLED",
"details": {"first_name": "Benjy",
"last_name": "Compson",
"full_name": "Benjy Compson",
"email": "benjy.compson@example.com"
},
"user_type": "human",
"deleted_at": null
}
]
}

Add a User to a Group

Adds a User to a Group

This endpoint requires the following role: pam_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group

Request Body schema: application/json
required

name	string [ 1 .. 255 ] characters The username of the User

Responses

204

No Content

post/v1/teams/{team_name}/groups/{group_name}/users

Request samples

application/json

{"name": "Jason.Compson.IV"
}

Remove a User from a Group

Removes a User from a Group

This endpoint requires the following role: pam_admin.

SecuritybearerAuth

Request

path Parameters

team_name required	string The name of your Team
group_name required	string The name of a Group
user_name required	string The username for an existing User

Responses

204

No Content

delete/v1/teams/{team_name}/groups/{group_name}/users/{user_name}

Request samples

Social
CONTACT & LEGAL
MORE INFORMATION
okta.com
Products, case studies, resources
Help Center
Knowledgebase, roadmaps, and more
Trust
System status, security, compliance

Groups

List all Groups for a Team

path Parameters

query Parameters

Create a Group

path Parameters

Request Body schema: application/json

Retrieve a Group

path Parameters

Update a Group

path Parameters

Request Body schema: application/jsonrequired

Delete a Group from a Team

path Parameters

List all Users for a Group

path Parameters

query Parameters

Add a User to a Group

path Parameters

Request Body schema: application/jsonrequired

Remove a User from a Group

path Parameters

Request Body schema: application/json
required

Request Body schema: application/json
required