<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Importing and Managing Okta Entitlements From Disconnected Applications
Feb 1, 2024
Okta Classic Engine
Identity Governance
Okta Identity Engine

Overview

This article provides a general overview and potential options for management entitlements with Okta's Entitlement Management feature. 

Prerequisites

Importing The Entitlement Schema

Importing or creating the entitlement schema involves deciding which attributes in the application must be represented as entitlements in Okta. Generally, these would be permission or license-granting attributes in the application, such as Office 365’s “Role” or Salesforce’s “Profile” attributes. These are just two examples. It is completely up to the customer on how to save the custom Entitlements in Okta. 

Creating Base Entitlements 

After creating a list of entitlements, they need to be added to the application in Okta. This can be done in a few ways:

Manually

 The manual setup of entitlements involves navigating to the Governance tab of the application. 
  1. From the “Entitlements” tab, choose Add Entitlement
  2. Add a Display Name for the new entitlement
  3. Add a Variable Name for the new entitlement
  4. Give it an Entitlement Type (Data Type) 
    1. Choose “String” in cases where a user can only have one value assigned to them. For example, a user might only be able to be assigned to a single salesforce “Profile.” 
    2. Choose “String Array” in cases where a user can have more than one value assigned to them, such as Office 365 Licenses.
  5. Provide a description in the Description (optional) field
    1. Okta recommends adding a description to help clarify how the entitlement will be used or what it is for. 
  6. Click Next
  After the entitlement has been created, it will prompt to edit/add the entitlement values. Make sure to add all of the possible values for the entitlement by giving them both Display Names and Values.
 
  1. Add a Display name for the new entitlement value
  2. Add a Value for the new entitlement value
  3. Add a Description (optional), if needed
  4. Click the + Add value button to add additional entitlement values
  5. Click Save entitlement
 

Using an API

The same tasks carried out manually can also be accomplished via API. Use this API to create an entitlement in Okta. Adding the possible values for an entitlement is also possible during the creation of an entitlement using the required “values” array during creation. Okta’s recently updated SCIM connector also supports the creation of entitlements via API.
 

Importing Entitlements for each User

 

After the Entitlements have been created, assign users to their appropriate Entitlements. Here are a few ways to accomplish this:

Using an Entitlement Policy

Along with entitlements is the new concept of “App Entitlement Policy.” This policy is found in the Governance > Policy Section of the OIG app. A policy is capable of using the Okta Expression Language to assign users to their birthright entitlements as they are assigned the application. This is a really solid, automatic way of managing user entitlements while also being sure that users are assigned to standardized entitlements. Users assigned to entitlements via Policy will appear to have “Policy” assigned entitlements, whereas any other type of assignment will show “Custom” assigned Entitlements. A user can also match multiple policies, granting them multiple policy grants. 
 

Manual Assignment

 On the Assignments tab of an entitlements-enabled application, from the user’s options menu (3 vertical dots) pick View Entitlements. From here, all of the entitlements assigned to this user will be displayed. Choose Edit to assign entitlements directly via the Customize Entitlements button or choose to revert the user to their policy-assigned entitlements via the Revert to Policy button. Choose to re-evaluate a user's entitlements if the user should have different entitlements than the ones currently displayed.

 

Assign Entitlement grants Via API

In the future, an API can be used to grant each user their entitlements directly. For each user, make the appropriate API call in Okta to set them up with the custom entitlements they already have in the downstream application. This might mean reading a CSV of entitlements from a Workflows table and assigning entitlements to each of the users, or making API calls to the downstream application to list a user’s entitlements and convert them into Okta entitlements. This might also involve the use of Okta Workflows tables to associate App entitlements with Okta entitlements. Okta’s recently updated SCIM connector also supports the assignment/import of entitlements via API.
 

Using Okta Event Hooks to Update Entitlements Downstream

 After entitlements have been loaded into Okta, it will be necessary to detect that entitlements have been updated in Okta and also to update the downstream application. The best way to automatically update the downstream applications will be by using event hooks in Okta. An event hook set up in this way will catch changes made via Policy Change, Policy assignment, Self Service or Admin Assignment to a bundle, Admin Assignment to an entitlement grant manually or via API, as well as any revoked entitlements or bundles via access Certification campaigns
 

Creating Event Hook To Support Entitlement Update

To capture entitlement updates in Okta Workflows, create a Workflows API endpoint, capture the invoke URL, and configure an event hook to invoke the workflow.
 

Create Workflows API Endpoint

From the workflows console, create any new flow.

  1. From within the flow, Click on the Add Event button
  2. Choose the API Endpoint option from the Okta Apps section
  3. Choose to secure the flow with a client token by clicking on the Secure with client token radio button. 
  4. Click the Close button
  5. Save the flow
  6. Reopen the API endpoint configuration by clicking the </> button at the bottom of the API Endpoint card
  7. Copy the invoke URL
  8. Make sure the flow is activated
 

Create Okta Event Hook With Workflows API Endpoint

  1. Follow this document to create an event hook in Workflows > Event hooks.
  2. Paste the Invoke URL value from step 7 above in the Endpoint URL field of the hook. Okta should detect that this is an Okta Workflows link and have automatically authenticated the hook.
  3. Subscribe to “Updated User's entitlements in a resource” by selecting it from the Select all events that apply field.
 

How to Create a List of Entitlements to Update

  1. Get Grant ID From Event Hook
    1. At this time, this data is located in the response body of the event hook. The location of the Grant ID as of Jan 17, 2024, is:
      data.events[0].debugContext.debugData.grantId
  2. Use Grant ID to Obtain Entitlements Updated
    1. Make the API call listed above, given the Grant ID. The response should contain the entitlements or bundles assigned to or removed from a user. With this information, one of a few solutions can be built:
      1. Build a CSV of manual updates to make
        • In this case, add each entitlement update to a table and process this table manually all at once after a period of time has passed
      2. Message/Email App owner to make changes using one of Okta’s messenger connections
        • Build a workflow that finds the entitlement updated and then uses slack, teams, or email to message the app owners the changes to make to each user. Could potentially even create custom access requests that app owners must sign off on to confirm completion.
      3. Build API calls in workflows to update the entitlements downstream automatically
        • Based on the names or IDs of the entitlements granted to the end users in Okta via various means, build API Calls to update their Entitlements in the downstream applications. This matching of entitlements in Okta to the downstream application can be managed either by naming convention or by association in an Okta Workflows table. It may require comparing which entitlements users are assigned in Okta versus which entitlements users have in the application in the workflow. For some apps, this is the only way to determine which entitlements need to be added or removed.

Recommended content

Still looking for help?
Loading
Importing and Managing Okta Entitlements From Disconnected Applications