Entitlements

End of Sale Announcement

Effective May 1, 2026, Okta will no longer sell or renew Advanced Server Access. Existing customers must migrate to Okta Privileged Access within one year of their next scheduled renewal date to maintain service. Read the FAQ | Learn about Okta Privileged Access

List all sudo Entitlements
Admin roles:
  • access_admin

Lists all sudo Entitlements for your Team

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

query Parameters
offset
string

The UUID of an object used as an offset for pagination

count
integer <int32>

Controls the number of objects listed per page

descending
boolean

If 'true', the most recent results are listed first

prev
boolean

Controls the direction of paging

Responses
200

OK

get/v1/teams/{team_name}/entitlements/sudo
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Create a sudo Entitlement
Admin roles: 
  • access_admin
Creates a sudo Entitlement that allows a Group to run specific commands as sudo


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
Request Body schema: application/json
required
add_env
Array of strings or null <regex> 
A list of environment variables to include when running Entitlement commands. See the sudo documentation.


 
description
string or null  <= 255 characters 
A description of the Entitlement


 
name
required
string <regex>   [ 1 .. 255 ] characters ^[\w\-_.]+$
The name of the Entitlement


 
opt_no_exec
boolean or null
Whether to allow commands to execute child processes


 
opt_no_passwd
boolean or null
Whether to require a password when sudo is run. This should generally not be used as Users don't require a password.


 
opt_run_as
string or null <regex>   [ 1 .. 64 ] characters ^([%]{0,1})((([#])(\d+))|([\w\-_.]+)|((?i)[A-...
A non-root user account used to run the command


 
opt_set_env
boolean or null
Whether to allow overriding environment variables to commands


 
Array of objects or null
A list of commands to allow


 
 Array 
(any (object or null)) or (none (object or null)) or (custom (object or null))
 
(directory (object or null)) or (executable (object or null)) or (raw (object or null))
 
raw (object) or directory (object) or executable (object)
 
command_type
string
 
sub_env
Array of strings or null <regex> 
A list of environment variables to ignore when running Entitlement commands. See the sudo documentation.


 
Responses 
201
Created


post/v1/teams/{team_name}/entitlements/sudo
Request samples 
application/json
{
  • "add_env": [ ],
  • "commands": null,
  • "created_at": "0001-01-01T00:00:00Z",
  • "description": "desc",
  • "id": "226a1963-a1c8-4316-bb4d-da48f2e7652a",
  • "name": "name",
  • "opt_no_exec": false,
  • "opt_no_passwd": true,
  • "opt_run_as": "",
  • "opt_set_env": false,
  • "structured_commands": [
    • {
      },
    • {
      }
    ],
  • "sub_env": [ ],
  • "updated_at": "0001-01-01T00:00:00Z"
}
Response samples 
application/json
{
  • "add_env": [ ],
  • "commands": null,
  • "created_at": "2018-04-07T00:00:00Z",
  • "description": "desc",
  • "id": "226a1963-a1c8-4316-bb4d-da48f2e7652a",
  • "name": "name",
  • "opt_no_exec": false,
  • "opt_no_passwd": true,
  • "opt_run_as": "",
  • "opt_set_env": false,
  • "structured_commands": [
    • {
      },
    • {
      }
    ],
  • "sub_env": [ ],
  • "updated_at": "2018-04-07T00:00:00Z"
}
Retrieve a sudo Entitlement
Admin roles: 
  • access_admin
Retrieves the specified sudo Entitlement


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
sudo_id
required
string
The UUID of the Sudo Entitlement


 
Responses 
200
OK


get/v1/teams/{team_name}/entitlements/sudo/{sudo_id}
Request samples 
Response samples 
application/json
{
  • "add_env": [ ],
  • "commands": null,
  • "created_at": "2018-04-07T00:00:00Z",
  • "description": "desc",
  • "id": "226a1963-a1c8-4316-bb4d-da48f2e7652a",
  • "name": "name",
  • "opt_no_exec": false,
  • "opt_no_passwd": true,
  • "opt_run_as": "",
  • "opt_set_env": false,
  • "structured_commands": [
    • {
      },
    • {
      }
    ],
  • "sub_env": [ ],
  • "updated_at": "2018-04-07T00:00:00Z"
}
Update a sudo Entitlement
Admin roles: 
  • access_admin
Updates the specified sudo Entitlement


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
sudo_id
required
string
The UUID of the Sudo Entitlement


 
Request Body schema: application/json
required
add_env
Array of strings or null <regex> 
A list of environment variables to include when running Entitlement commands. See the sudo documentation.


 
description
string or null  <= 255 characters 
A description of the Entitlement


 
name
required
string <regex>   [ 1 .. 255 ] characters ^[\w\-_.]+$
The name of the Entitlement


 
opt_no_exec
boolean or null
Whether to allow commands to execute child processes


 
opt_no_passwd
boolean or null
Whether to require a password when sudo is run. This should generally not be used as Users don't require a password.


 
opt_run_as
string or null <regex>   [ 1 .. 64 ] characters ^([%]{0,1})((([#])(\d+))|([\w\-_.]+)|((?i)[A-...
A non-root user account used to run the command


 
opt_set_env
boolean or null
Whether to allow overriding environment variables to commands


 
Array of objects or null
A list of commands to allow


 
 Array 
(any (object or null)) or (none (object or null)) or (custom (object or null))
 
(directory (object or null)) or (executable (object or null)) or (raw (object or null))
 
raw (object) or directory (object) or executable (object)
 
command_type
string
 
sub_env
Array of strings or null <regex> 
A list of environment variables to ignore when running Entitlement commands. See the sudo documentation.


 
Responses 
204
No Content


put/v1/teams/{team_name}/entitlements/sudo/{sudo_id}
Request samples 
application/json
{
  • "add_env": [ ],
  • "commands": null,
  • "created_at": "2018-04-07T00:00:00Z",
  • "description": "A new description",
  • "id": "226a1963-a1c8-4316-bb4d-da48f2e7652a",
  • "name": "name",
  • "opt_no_exec": false,
  • "opt_no_passwd": true,
  • "opt_run_as": "",
  • "opt_set_env": false,
  • "structured_commands": [
    • {
      },
    • {
      }
    ],
  • "sub_env": [ ],
  • "updated_at": "2018-04-07T00:00:00Z"
}
Delete a sudo Entitlement
Admin roles: 
  • access_admin
Deletes the specified sudo Entitlement. You can't delete an Entitlement that is assigned to a Project.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
sudo_id
required
string
The UUID of the Sudo Entitlement


 
Responses 
204
No Content


delete/v1/teams/{team_name}/entitlements/sudo/{sudo_id}
Request samples 
List all sudo Entitlements for a Group
Admin roles: 
  • access_admin
List all sudo Entitlements for a Group in a Project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
project_name
required
string
The Project name


 
group_name
required
string
The ASA Group name


 
Responses 
200
OK


get/v1/teams/{team_name}/projects/{project_name}/groups/{group_name}/entitlements/sudo
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Assign a sudo Entitlement to a Group
Admin roles: 
  • access_admin
Assigns a sudo Entitlement to a Group in a Project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
project_name
required
string
The Project name


 
group_name
required
string
The ASA Group name


 
Request Body schema: application/json
required
order
required
string  [ 0 .. 100 ] 
 Default:  50
Defines the importance of the Entitlement within the Group. Lower values are listed earlier.


 
sudo_id
required
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The UUID of the Entitlement


 
Responses 
204
No Content


post/v1/teams/{team_name}/projects/{project_name}/groups/{group_name}/entitlements/sudo
Request samples 
application/json
{
  • "order": 50,
  • "sudo_id": "5db14e13-3bee-4099-a105-c6e8aeeb7613"
}
Remove a sudo Entitlement from a Group
Admin roles: 
  • access_admin
Removes the specified sudo Entitlement from a Group in a Project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your Team


 
project_name
required
string
The Project name


 
group_name
required
string
The ASA Group name


 
sudo_id
required
string
The UUID of the Sudo Entitlement


 
Responses 
204
No Content


delete/v1/teams/{team_name}/projects/{project_name}/groups/{group_name}/entitlements/sudo/{sudo_id}
Request samples