2vvfu (2vvfu) asked a question.
Regular reporting of group permissions
We'd like to regularly get, or generate, reports of user app permissions for audit.
We know the API can provide lists of users, and lists of groups, and even users in groups, but we think it does not provide "permissions assigned to a group". This means we can never say, in a programmatic way "what permissions do users have".
Can we get that as a report somehow, even by using the API?
NB, we want a full snapshot of all users in the company - we don't want the timeline audit.
Thanks!
Hello Harry,
I've escalated your question to our Customer Support team. They will respond to you shortly here.
Thanks!
Tim
Okta, Inc.
Hi Harry,
Thank you for contacting Okta community. Are you trying to get the Administrators roles for all users? If that's the case, you can use the List Roles API to list all Roles assigned to a User, and use a script to list roles for all users. You can also List Roles assigned to a group via API. If you have any additional questions please open a support case with us so we can assist you further.
Thank You,
Daisy Sun
Technical Support Engineer
Okta Global Customer Care
Hi @daisy.sun1.5046410359822651E12 (Okta, Inc.) ,
Thanks for looking at this. It's nothing to do with the Administrators, no.
We'd like to regularly get, or generate, reports of user app *permissions* for audit.
What we can do:
1) List users
2) List groups
3) List users in groups
4) List applications
5) List applications assigned to groups
What we can't do:
1) List the permissions a group has for an application
This is important for audit purposes. eg: We create a Expenses SSO application, and assign it to the group "Employees" with the permission "Create Expenses". We then assign it to the group Managers with permission "Approve Expenses".
How can we get a snapshot-in-time of who has the ability to "Approve Expenses"? We can snapshot who was in the Managers group, but that group's permissions may change.
We would not be able to demonstrate, in an audit, what permissions (not just groups) a user had at the time.
I have received a response that this is not possible:
~~~~~~~~~~~~
Unfortunately what you are requesting is not possible at this time, since we do not offer any type of reports for permission assigned to a group. This is more of a feature request option that is not available at this time.
As a suggestion you may want to implement a 3rd party customer Identity access management to provide this information to you. If you want Okta to have this type of report/configurations. You can do this on the Okta Community page at https://community.okta.com or https://support.okta.com/help/s/ideas?language=en_US by going to Product--> Ideas -> Post Idea.
Features suggested in our community are reviewed and can be voted and commented on by other members of the community, therefore making it much easier for the engineering team to understand the priorities that you have for feature request.