Security Policy

The Security Policy API provides operations to manage security policies for Okta Privileged Access teams. Security policies control which user groups can access resources and any methods they can use to connect. Security policy operations use several nested objects to correctly define a created policy.

See Security policy.

List all security policies
Admin roles:
  • security_admin

Lists all security policies

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

Responses
200

OK

get/v1/teams/{team_name}/security_policy
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Create a security policy
Admin roles: 
  • security_admin
Creates a security policy


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
Request Body schema: application/json
active
required
boolean
If true, indicates that the Security Policy is active


 
description
string
The description of the Security Policy


 
name
required
string
The name of the Security Policy


 
required
object
The User Groups associated with the Security Policy. Can include multiple Groups.


 
Array of objects (NamedObject)   <= 40 items 
The User Groups associated with the Security Policy. Each User Group is defined in a separate object.


 
 Array (<= 40 items)
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given id is valid or not.


 
required
Array of objects (SecurityPolicyRule)   <= 30 items 
The rules associated with the Security Policy. A Security Policy can set multiple rules that define privileges available for matching resources.


 
 Array (<= 30 items)
Array of objects (Conditions) 
The conditions required before a privilege is made available to the Principals. All conditions must be met.


 
name
required
string
The name of the Security Policy rule


 
override_checkout_duration_in_seconds
integer or null <int64>   [ 900 .. 86400 ] 
Overrides checkout duration provided in the resource settings


 
required
Array of objects (Privileges) 
The specific privileges granted to Principals on matching resources.


 
required
any
 
resource_type
required
string (SecurityPolicyRuleResourceType) 
The type of resource that Principals are granted privileges to access.


 Enum: "active_directory_based_resource" "managed_saas_app_based_resource" "okta_app_based_resource" "secret_based_resource" "server_based_resource" "unmanaged_saas_app_based_resource"  
type
string (SecurityPolicyType) 
The type of the policy. Determines which resource types are allowed in security policy rules.


    

  • 'default': Any valid resource type is allowed except 'okta_app_based_resource'
    • 

  • 'okta_service_account': Only 'okta_app_based_resource' resource type is allowed. Only users with Okta Super Admin role can create policies of this type.
    • 



 Enum: "default" "okta_service_account"  
Responses 
200
OK


post/v1/teams/{team_name}/security_policy
Request samples 
application/json
{
  • "name": "SecurityPolicy1",
  • "description": "string",
  • "active": true,
  • "principals": {
    • "user_groups": [
      ]
    },
  • "rules": [
    • {
      }
    ]
}
Response samples 
application/json
{
  • "id": "123-456-789",
  • "name": "SecurityPolicy1",
  • "description": "string",
  • "active": true,
  • "principals": {
    • "user_groups": [
      ]
    },
  • "rules": [
    • {
      }
    ]
}
Retrieve a security policy
Admin roles: 
  • security_admin
Retrieves the specified security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
security_policy_id
required
string
The UUID of a security policy


 
Responses 
200
OK


get/v1/teams/{team_name}/security_policy/{security_policy_id}
Request samples 
Response samples 
application/json
{
  • "id": "123-456-789",
  • "name": "SecurityPolicy1",
  • "description": "string",
  • "active": true,
  • "principals": {
    • "user_groups": [
      ]
    },
  • "rules": [
    • {
      }
    ]
}
Update a security policy
Admin roles: 
  • security_admin
Updates the specified security policy


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
security_policy_id
required
string
The UUID of a security policy


 
Request Body schema: application/json
active
required
boolean
If true, indicates that the Security Policy is active


 
description
string
The description of the Security Policy


 
name
required
string
The name of the Security Policy


 
required
object
The User Groups associated with the Security Policy. Can include multiple Groups.


 
Array of objects (NamedObject)   <= 40 items 
The User Groups associated with the Security Policy. Each User Group is defined in a separate object.


 
 Array (<= 40 items)
id
string
The UUID of the object


 
missing
boolean
Boolean value determining if the named object with the given id is valid or not.


 
required
Array of objects (SecurityPolicyRule)   <= 30 items 
The rules associated with the Security Policy. A Security Policy can set multiple rules that define privileges available for matching resources.


 
 Array (<= 30 items)
Array of objects (Conditions) 
The conditions required before a privilege is made available to the Principals. All conditions must be met.


 
name
required
string
The name of the Security Policy rule


 
override_checkout_duration_in_seconds
integer or null <int64>   [ 900 .. 86400 ] 
Overrides checkout duration provided in the resource settings


 
required
Array of objects (Privileges) 
The specific privileges granted to Principals on matching resources.


 
required
any
 
resource_type
required
string (SecurityPolicyRuleResourceType) 
The type of resource that Principals are granted privileges to access.


 Enum: "active_directory_based_resource" "managed_saas_app_based_resource" "okta_app_based_resource" "secret_based_resource" "server_based_resource" "unmanaged_saas_app_based_resource"  
type
string (SecurityPolicyType) 
The type of the policy. Determines which resource types are allowed in security policy rules.


    

  • 'default': Any valid resource type is allowed except 'okta_app_based_resource'
    • 

  • 'okta_service_account': Only 'okta_app_based_resource' resource type is allowed. Only users with Okta Super Admin role can create policies of this type.
    • 



 Enum: "default" "okta_service_account"  
Responses 
204
No Content


put/v1/teams/{team_name}/security_policy/{security_policy_id}
Request samples 
application/json
{
  • "id": "123-456-789",
  • "name": "SecurityPolicy1",
  • "description": "string",
  • "active": true,
  • "principals": {
    • "user_groups": [
      ]
    },
  • "rules": [
    • {
      }
    ]
}
Delete a security policy
Admin roles: 
  • security_admin
Deletes the specified security policy


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
security_policy_id
required
string
The UUID of a security policy


 
Responses 
204
No Content


delete/v1/teams/{team_name}/security_policy/{security_policy_id}
Request samples