Okta Access Requests allows the creation of both Access Request Types and new Access Requests to those types via API. As part of the API requests process, validations occur to ensure defined configurations are met before allowing a request to proceed. For this specific instance, when an API call is made to create a New Request of an existing Access Request Type, the audience defined in the Access Request Type is evaluated, and if the participating users are not part of the audience, an error will be returned.
- Okta Access Requests
- Creation of a "New" request using the Okta Identity Governance (OIG) API
As part of a requestType creation in Okta Access Requests, an Audience must be specified. One possible Audience target is an Okta Group. This target is derived from the Push Groups assigned to the Okta Access Requests application. When an attempt to create a New Request is made via the API, the audience is evaluated, and if both the authenticated users making the request and the target requsterUserId the request is being made on behalf of are not part of the Pushgroup, the process will fail with the following error:
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action.",
"errorLink": "E0000006",
"errorCauses": [
{
"domain": "governance",
"errorSummary": "Authenticated user and contents of /body/requesterUserIds must be members of the group specified in the request type's /requestSettings/requesterMemberOf array.",
"location": "/requesterUserIds",
"locationType": "body",
"reason": "REQUEST_TYPE_SETTINGS"
}
To resolve the issue, please confirm the following:
- Both the authenticated user and
requesterUserIdstarget in the API payload are users contained in the target group. - In Applications > Applications > Okta Access Requests > Push Groups, the group is present, activated, with no obvious errors.
- In the Push Status, click the drop-down and choose Push Now.
- Wait for the push to occur before attempting to create the New Request via API again.
