1fj3q (1fj3q) asked a question.
Retrieve app group(s) for a user using OKTA API
I'm not able to find an direct API call, which can retrieve app group(s) of which a user is memberOf. The only API I found was /api/v1/users/${userId}/groups which retrieves all the groups assigned to a user and then Client will need to filter based on the app. This becomes challenging when a user has access to mutiple apps and each app have multiple groups.
I'm looking for an API end point which can return user groups for a particular app.
If you're looking for an end point that will return the groups assigned to an application you can get that from the following:
{{url}}/api/v1/apps/{{appId}}/groups
{{url}}/api/v1/apps/{{appId}}/groups retrieve groups for an app only but I'm looking to retrieve groups associated with app for a User.
I'm not aware of an end point that returns that specific information. You'd need to programmatically compared groups assigned a user to the groups assigned to the application.
Joe
That becomes a challenge when customers have ~100 apps and when each application needs to retrieve group membership to implement fine grained app permission. If each app has app groups specific to location where user works then number of group members increases exponentially and will cause performance impact.
I am interested in this as well. I can't find a reliable or relatively simple way to remove a user from an app if they were assigned the app via a group or group rule. This seems like a fundamental need for most organizations since this is most likely how security and IT teams will programmatically unassign inactive users from certain apps if they haven't authenticated to them in X amount of time. I have no problem using the API to get the lastLogin for an app, getting all of the user's groups, and other prerequisite info, but if I need to remove a user from an application, I can't just use the 'Remove user from application' endpoint because Okta doesn't allow unassigning an app from someone if they were assigned that application via a group or group rule. We need an endpoint to remove a user from an application group by providing only userID and appID. When a user is assigned to 50+ groups looping through and doing app_group comparisons is painful. If anyone knows a better way to accomplish this, let me know.