When users are assigned entitlements in Okta, whether via an out-of-the-box connector or a custom connector, an event occurs. This event is displayed as User's entitlements updated successfully, and the event type is resource.user_entitlements.update.
- Okta Identity Governance (OIG) and Entitlements
- Okta System Log
NOTE: Leveraging entitlements requires an Okta Identity Governance license and an application with Governance features enabled.
Entitlement Grant System Log Event Update
When a user assigned to an application with entitlement support receives an entitlement, the System Log records an event.
-
LCM-enabled applications: This event signals the start of the provisioning process, followed by subsequent events.
-
Non-LCM-enabled applications: This event can trigger Okta Workflows for actions like creating tickets or pushing updates to disconnected applications.
A new detail has been added to this event, supplementing the existing grant ID information.
What is a Grant?
A grant signifies the assignment or removal of entitlements or entitlement bundles for a user. More details can be found in the Grants article.
The new endpoint returns the specific entitlements added or removed during the entitlement update when called. This provides quicker insight into a user's entitlement changes, eliminating the need for manual calculation.
Locating the event
As an Administrator, log into the Okta Admin Console and select Reports/System Log in the Admin menu. In the search option, type “User's Entitlements updated” or a similar phrase. This will display any events that match the search.
NOTE: This event may be hidden unless entitlements have been granted or revoked, or if no applications are currently configured with entitlements.
Dissecting the event
To examine an event, find it in the user interface, and use the Expand All function. In the event details, find the System/DebugContext/DebugData section, as illustrated in the example.
The PrincipalEntitlementsChangedUrl value, found within that section, represents an endpoint. This endpoint can be accessed through tools like Okta Workflows to show the specific entitlements that were added or removed following a grant update.
Reviewing Changes
Executing a GET call with the provided URL will return details similar to the following in the response.
{
"entitlementsChanged": [
{
"values": [
{
"changeType": "ADDED",
"id": "entqhya80f2e7uP9F1d6",
"name": "createPo",
"externalValue": "createpo",
"description": "Role can create Purchase orders"
},
{
"changeType": "REMOVED",
"id": "entqhya82fdyJQSWM1d6",
"name": "addEditVendor",
"externalValue": "addEditVendor",
"description": "Role can add/update vendor profiles"
}
],
"id": "espqhya7xRnZQahYE1d6",
"name": "Purchasing",
"externalValue": "purchasing",
"description": "This is the new entitlement description",
"multiValue": true,
"required": false,
"dataType": "array"
},
{
"values": [
{
"changeType": "ADDED",
"id": "entqhya88iq372w7y1d6",
"name": "readonly",
"externalValue": "readonly",
"description": "Role has read only rights"
},
{
"changeType": "REMOVED",
"id": "entqhya86TQj7eHsu1d6",
"name": "admin",
"externalValue": "admin",
"description": "Rule has administrative rights"
}
],
"id": "espqhya84zmBKnJt81d6",
"name": "Roles",
"externalValue": "role",
"description": "Roles within FinWorld Application",
"multiValue": false,
"required": false,
"dataType": "string"
}
],
"resourceOrn": "orn:okta:idp:<example_idp_ID>:apps:oidc_client:<example_client_ID>",
"resource": {
"externalId": "0oaj7ukkccdeIQIRY1d7",
"type": "APPLICATION"
},
"principalOrn": "orn:okta:directory:<example_directory_ID>:users:<example_users_ID>",
"principal": {
"externalId": "00uixlq1k1SV6Y48l1d7",
"type": "OKTA_USER"
},
"_links": {
"principal-entitlements": {
"href": "https://tenant-admin.okta.com/governance/api/v1/principal-entitlements?filter=parent.externalId%20eq%20%220oaj7ukkccdeIQIRY1d7%22%20AND%20parent.type%20eq%20%22APPLICATION%22%20AND%20targetPrincipal.externalId%20eq%20%2200uixlq1k1SV6Y48l1d7%22%20AND%20targetPrincipal.type%20eq%20%22OKTA_USER%22",
"hints": {}
}
}
}Recommendation
Leveraging this new data will improve the process of identifying entitlement changes resulting from Access Requests, Access Certification decisions, or API/Admin modifications.
