<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000074uhw6CAAOkta Classic EngineAdministrationAnswered2024-04-03T16:09:08.000Z2021-07-22T21:17:50.000Z2021-10-25T23:26:14.000Z

MatthewH.10249 (State of Iowa) asked a question.

July 22, 2021 at 9:17 PM
Looking for API request structure to add user as APP_ADMIN for specific apps

I'm looking for an API request structure to add a user as APP_ADMIN for specific apps. I found the roles API that looks to be sort of what I'm after as I was able to add a user as an APP_ADMIN for "ALL" apps but I want to only add them to a specific app. These specific apps could be any custom Bookmark, OIDC, SAML, etc apps.

 

Roles API: https://developer.okta.com/docs/reference/api/roles/

 

To add a user as admin for all apps I performed a POST using {{url}}/api/v1/users/{{userid}}/roles with a body of { "type": "APP_ADMIN" } and that worked but not what I need. I'm creating a request process via ServiceNow that users will be able to request a new app (Bookmark, SWA, OIDC, SAML) be created automatically and then grant the requestor admin rights to the new app.

 

My hope is that I can somehow add the client id of a specific new app that I want to use in the body but I'm not seeing how to do this or any other options.

  • 5 answers
  • 686 views

  • bogdan.bangu1.5083867746981602E12 (Okta, Inc.)

    You can use PUT {{url}}/api/v1/users/{{userId}}/roles/{{roleId}}/targets/catalog/apps/{{appName}}- Add App Target for App Admin Role. When you add the first App target, you reduce the scope of the role assignment. The Role no longer applies to all App targets, but applies only to the specified target.

    For example:

    curl -v -X PUT \

    -H "Accept: application/json" \

    -H "Content-Type: application/json" \

    -H "Authorization: SSWS ${api_token}" \

    "https://${yourOktaDomain}/api/v1/users/00u6fud33CXDPBXULRNG/roles/KVJUKUS7IFCE2SKO/targets/catalog/apps/amazon_aws"

    The admin will have app admin permissions to all amazon_aws if you have multiple application. You cannot add application ID, can only use {appName}.

    Expand Post

    • MatthewH.10249 (State of Iowa)

      Thanks for the reply. I was aware of the API call you mentioned but it was not what I needed for my usecase. I need the user to be assigned "app_admin" role to only admin one specific app whereas your suggestion allows them to be "app_admin" for all apps of a given app role type. The following image shows the outcome of using the API as you suggested for several of the app types I'm interested in using but note it states "ALL" which I do not desire. I guess I'll put in a feature request or upvote one if it already exists.

       

      addedapps 

      For anyone that comes across this post you must manually assign a role to a user and then use /api/v1/users/${userId}/roles to fetch the role id for roles like "app_admin" as they are not documented. The following post helped me figure this out. https://support.okta.com/help/s/question/0D50Z00008G7Vbn/get-role-id-from-rest-api?language=en_US

       

      Lastly, I'm not sure if there is a list of app names somewhere else for the generic templates I was looking for but to help others and myself down the road, I found them by doing a search on the following page for "name": https://developer.okta.com/docs/reference/api/apps/#settings

      Here are some of the names I found: bookmark, template_basic_auth, okta_org2org, cornerstone, template_swa, template_swa3field, template_sps, template_wsfed, oidc_client.

       

      For apps in the app catalog you can type in the name you see on the app card and it might work for ones like workday but for others like Salesforce.com and Google Workspace it will not be that simple. Someone may correct me on this but I think the only way to get the name of these apps is to manually create one in your tenant and then call {{url}}/api/v1/apps and search through the results to find it.

      Expand Post

  • MatthewH.10249 (State of Iowa)

    Found what I was looking for as an API already exists.

     

    /api/v1/users/${userId}/roles/${roleId}/targets/catalog/apps/${appName}/${appInstanceId} https://developer.okta.com/docs/reference/api/roles/#add-an-app-instance-target-to-an-app-administrator-role-given-to-a-user

     

    To help others the ${appName} is something like "bookmark", "oidc_client", "amazonaws" and not the custom name you gave the app. I feel ${appType} would have been a better label. The ${appInstanceId} is the key I was looking for and allows you to identify just one specific app.

    Expand Post
    Selected as Best
This question is closed.
Loading
Looking for API request structure to add user as APP_ADMIN for specific apps