Okta Policies are a great way to assign entitlements for a birthright use case. Policies are part of the Okta Identity Governance (OIG) enhancement of Entitlements. These entitlements can be distributed to users in various ways, including Policies. Policies are the equivalent of Group Rules but for Entitlements. Users assigned to applications directly via Policy or via group assignment will have policies evaluated against them. If a policy is applied, those entitlements will be assigned to the user. Subsequently, if the user is granted custom entitlements via the API or by an Okta administrator, future policy jobs will not run against that user. To remedy this, a user can be reverted to Policy.

• Okta OIG Entitlements
• Okta Identity Governance API
• Okta Workflows

Using the UI

1. Log in to Okta as a Super Admin.  Locate the application in which the user is assigned entitlements. This example will use Salesforce as the application. 
2. Locate the user in question and click the three dots on the right side, as seen in the image.

3. Select the View entitlements option. A new window will open on the right side showing any entitlements. Click on the entitlement to see where that entitlement came from (Policy, Self Service Access Request, Admin).

4. If the user was granted a custom entitlement directly by admin, API, or via an Access Request, the entitlements would look like this image:

5. Revert the user so that the Policy engine runs on this user and their assignment. This strips away any custom entitlements or entitlements granted via an Access Request.  
6. To do this, click the Edit button and locate the blue Revert to Policy button.

7. Click the blue Revert button to complete the action.

8. The user will now get entitlements directly from any Policy rules that apply going forward.

Using the API

1. Visit the Okta Identity Governance API to locate the API documentation for Identity Governance. Locate the API reference for Grants.  
2. Run the Grant API
   • URL:  https://{OktaDomainName}/governance/api/v1/grants
   • Body:

     {
     
     "grantType": "POLICY",
     
     "target": {
     
     "externalId": "0oaaog52503Q6V6KN1d7",
     
     "type": "APPLICATION"
     
     },
     
     "targetPrincipal": {
     
     "externalId": "00ufxqCAJWWGELFTYCCC",
     
     "type": "OKTA_USER"
     
     }
     
     }

• • The "0oaaog52503Q6V6KN1d7" = Application GUID, "00ufxqCAJWWGELFTYCCC" = User GUID. Replace with the specific ones.

3. Run this for each user to revert the user back to Policy. 

Related References

• To view feature requests and upvote product enhancement requests, please visit Okta Ideas.
• Guide on using the Okta Identity Governance APIs
• Introducing “Request on Behalf of” for Okta Identity Governance
• Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.