Request Types can be used to solve many use cases, including the possibility of creating Access Requests with an API. This guide will describe how to use Okta Workflows to call the API to create an Access Request programmatically. This guide assumes that there is already an understanding of Okta Workflows and how to build a Workflow. Also, we are only going to target a basic Access Request, asking one question about why the requester needs access to a group and assigning it to their manager for approval.

• Okta Access Requests
• Okta Workflows
• Okta Identity Governance API

1. Visit this link to locate the API documentation for Identity Governance. Locate the API reference for Request Types.  Please refer to this guide for more information on how to use the API.
2. Next, log into Okta as a Super Admin. Check that the proper scopes are enabled within the Okta Workflows OAuth application: OIG Scope Information.
3. Click on the Okta Workflow console to get started. If new scopes were enabled, re-authenticate the Okta Workflows connection.
4. Create a new flow and name the flow by clicking the pencil next to Unnamed. Select to save all data that passed through the flow as well and save.

5. Next, add an Event, and select how this flow should be triggered.
6. Next, click the Add app action button select Okta’s application select the Custom API Action card, select GET for Request Type, and hit Save.

7. Next, uncheck the boxes for Query and Headers, as we are not using them in this flow, and click the Save button.

8. Next, we need to run the List Teams API endpoint to get the ID of the team that will be associated with the newly created Access Request. So enter the following Relative URL and save the card. A Relative URL is a URL that only includes the path and already assumes the domain.  Okta’s Custom API Action card is already pointing to the proper domain. NOTE: This can still be done with any tool that supports calling an API.  
   
   Full URL: https://{MyOktaDomain}/governance/api/v1/teams
   Relative URL for listing Teams: /governance/api/v1/teams

9. Next, save the card, enable the Workflow, and execute it.
10. In the Flow History, click on the Custom API Action card and scroll down to get the body that was sent back from hitting the API. Within the body, find the IDs of each Team created in Access Requests. Note the IDs and save them for later use.
11. Now, let’s update the Relative URL for the final workflow.
    
    Full URL: https://{MyOktaDomain}/governance/api/v1/request-types
    Relative URL: /governance/api/v1/request-types

We also need to click Options on the Custom API card and change it to a POST. When doing this, make sure the body is checked for the available fields. The end result after saving should look similar to the card below.

12. Next, click the Add function button to add a Compose card to the flow. Add it before the Custom API card.

13. Now, back on the API documentation site listed earlier, locate the API endpoint used to create request types. There are various formats available on the site based on the specific use cases.  Below is the API payload example given on the website we are using in this example.  Notes:  The last couple of lines were added to make the Access Request Active by default.  Update the ACTIVE value and make it DRAFT if choose so.

{
  "name": "Salesforce.com",
  "description": "Test Group Request Type via API",
  "ownerId": "62fa7db04e7633000a7a83cc",
  "resourceSettings": {
    "type": "GROUPS",
    "targetResources": [
      {
        "resourceId": "00gsn3llsiAdmbIf41t7"
      }
    ]
  },
  "requestSettings": {
    "type": "EVERYONE",
    "requesterFields": [
      {
        "prompt": "Why this group is needed?",
        "type": "TEXT",
        "required": true
      }
    ]
  },
  "approvalSettings": {
    "type": "SERIAL",
    "approvals": [
      {
        "approverType": "MANAGER"
      }
    ]
  },
  "status": "ACTIVE"
}

14. Open up a text utility and paste the code from the website into it. We will need to modify the provided example to use the Team ID pulled from the text workflow in step 9.  
15. To get a group ID, go to Directory > Groups in the Admin console of Okta. Either create a group or select an existing group.  The URL visible after selecting the group will display the GUID of the group. In this example, 00gsn3llsiAdmbIf41t7 is the group guide needed for the API.

16. Update the text editor and enter in the group Guid as the value associated with the resourceId.
17. Now, copy and paste the API body from the text editor to the Compose card. If needed, alter the formatting after pasting. 
18. Drag the output of the composed card to the body of the API Custom card, and is all ready to run.

 
 

Happy Governing!
 

Related References

• ​Okta Identity Governance API
• Okta Access Requests documentation
• Okta Workflows documentation
• Use Okta Identity Governance Beta API in Okta Workflows

Looking for Okta Identity Governance help? ​Visit the Okta Identity Governance Product Hub or ​schedule Office Hours with the Okta Identity Governance team.