Overview

Resource owners play a crucial role in Access Certification and Access Requests by serving as reviewers. They are assigned to various components, including applications, groups, entitlement bundles, and individual entitlement values. This guide details the necessary steps and tools for migration and then managing these assignments within Okta Identity Governance (OIG).

Use Cases

• When migrating from an existing Identity Governance and Administration (IGA) solution, capturing the existing ownership of resources to support campaigns and access request approvals is a simple process. 

Migration:  

The process below outlines how to migrate from another IGA tool to Okta.  Once all resource owners have been migrated into Okta, newly onboarded resources will also need to be assigned one or more owners.

Sync: 

During a migration, resource owners will need to be synchronized initially using the API.  Once migrated, these resource owners can be managed in various ways using both the UI and API.   See the API examples included in this document.

Supported Resource Types

• Applications

• Entitlement Values

• Entitlement Bundles

• Collections - on roadmap. 

Assumptions

• As part of the onboarding of applications, owners should be assigned to identify requestable resources, including entitlement values, entitlement bundles, applications, and Collections (Roadmap).

• Group Owners are maintained by the Okta Group Owners API.

Resource Owner UI

Resource Owners can be managed as documented in Resource owners.

To configure an application, entitlement-value, or entitlement-bundle owner in the UI, perform the following steps:

1. Log in to the Okta Admin Console as an Administrator with the Super Admin role.
2. Select Application > Application in the left-hand menu.
3. Search for and select an existing application where you want to set the resource owner. 
4. Locate and click the Governance tab.
   
5. Click the Owners tab.
   
6. Select the category of resource to set the owner, and select the Assign Owners button.
   
7. Select Users or Groups, select applicable owners, and complete the process by selecting the Assign Owners button.
   
   
   

Resource Owner API

Resource Owners can be created via the Resource Owners API.

Configure the Resource Owner

The API enables the assignment of one or more owners individually or via a group. If both are used, Okta defaults to the group owner list. 

NOTE: The payload contains two arrays for each type; therefore, one or more of each can be supplied in the body during assignment.

Assign a Resource Owner

POST - https://{OktaDomain}/governance/api/v1/resource-owners

Payload:

{

  "principalOrns": [

    "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g",

    "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u6yl0Q065H4BCPR0g4"

  ],

  "resourceOrns": [

    "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6"

  ]

}

Remove all Resource Owners

The same API used to assign Resource Owners can be used to clear all existing owners. This call has an empty list of resource owners. 

POST - https://{OktaDomain}/governance/api/v1/resource-owners

Payload:

{

  "principalOrns": [

  ],

  "resourceOrns": [    "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6"

  ]

}

Update a Resource Owner

The API enables the removal of one or more owners (users or groups) individually per resource.  The payload does support a list of actions. 

PATCH - https://{OktaDomain}/governance/api/v1/resource-owners

RESPONSE: 

{

  "resourceOrn": "orn:okta:governance:00o11edPwGqbUrsDm0g4:entitlement-bundles:enbogpaj3XUzcM62u1d6",

  "data": [

    {

      "op": "REMOVE",

      "path": "/principalOrn",

      "value": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u20sfroCwbHQO4a0g"

    },

    {

      "op": "REMOVE",

      "path": "/principalOrn",

      "value": "orn:okta:directory:00o11edPwGqbUrsDm0g4:users:00u10sfroCwbHQO4a0g"

    }

  ]

}

List all Resources with Owners

The API allows you to retrieve a list of resource owners assigned to resources within a specified application (parentOrn, which is a required filter). Other filters can also be applied and combined to refine the results. The available filters can be viewed in the List all resources with owners API documentation.

GET - https://{OktaDomain}/governance/api/v1/resource-owners?filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ"

List all Resources without Owners

The API identifies resources lacking assigned Resource Owners within an application, where parentOrn is a mandatory filter. Other filters can also be applied and combined to refine the results. The available filters can be viewed in the List all resources without owners API documentation.

GET - https://{OktaDomain}/governance/api/v1/resource-owners/catalog/resources?filter=parentResourceOrn eq "orn:okta:idp:00o11edPwGqbUrsDm0g4:apps:salesforce:0oafxqCAJWWGELFTYASJ" AND resource.type eq "entitlement-bundles"

Summary

Resource Owners, assigned to applications, groups, entitlement-bundles, and entitlement-values, for Access Certification and Access Requests. The process involves migrating existing resource owner data from an existing IGA tool to Okta.  New resources will also require owner assignment. Supported resource types include Applications, Entitlement-values, Entitlement-bundles, and Collections (on roadmap). Owners should be assigned during application onboarding, and maintenance will be needed to maintain resource ownership in an operational capacity.  Group Owners are managed by the Okta Group Owners API. The Resource Owner API enables assigning one or more owners (individually or via a group), removing all owners, updating specific owners, and listing resources with or without owners using filters.

Related References

• Understanding Okta Resource Name (ORN)