<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007K8XU1CANOkta Classic EngineAPI Access ManagementAnswered2025-10-11T09:00:47.000Z2021-12-06T23:37:28.000Z2021-12-08T06:52:05.000Z

DerickK.08586 (Customer) asked a question.

December 6, 2021 at 11:37 PM
Retrieving the Password Policy for a User via APIs

We are building change password functionality into our application, and I might have a user who is a member of multiple groups.

 

If I want to retrieve the password rules that will apply to the user via APIs, it appears that I need to do the following:

  • Get the user's groups (/api/v1/users/${userId}/groups)
  • Get password policies (/api/v1/policies?type=PASSWORD)
  • Iterate through the password policies until I find a policy that contains a group that my user is a member of

 

Is there a better way to do this?

  • 3 answers
  • 1.41K views

  • b5n6c (b5n6c)

    @DerickK.08586 (Customer)​ , My understanding is that you are looking for password applied to which group, if yes it is available in your api query (/api/v1/policies?type=PASSWORD) itself. it will shows as group id not name of the group.

     

    Image is not available
     

    Jijo

    Expand Post

  • DerickK.08586 (Customer)

    Thanks Jijo, but that is not what I am looking for. Let me try to clarify my question.

     

    Suppose that I have user Sam who is a member of three groups with the following group IDs:

    • 111
    • 222
    • 333

     

    Also suppose that I have 4 password policies:

    • AAA
    • BBB
    • CCC
    • DDD
    • EEE

     

    If I am building a custom "change password" solution, and in my UI I want to enforce the password rules that will apply to Sam, I think that I need to do the following:

    1. Consume the /api/v1/users/${userId}/groups API to retrieve the groups that Sam is a member of. In this case, group IDs 111, 222, and 333 will be returned.
    2. Consume the /api/v1/policies?type=PASSWORD API to get the password policies for my Org. In this case AAA, BBB, CCC, DDD, and EEE will be returned.
    3. Now I will need to iterate from AAA to EEE until I find a password policy that contains either group ID 111, 222, or 333. For example, if policy AAA and BBB do not contain any of Sam's group IDs and policy CCC contains group ID 333, then I will need to use the rules that are defined in policy CCC.

     

    I am hoping that there is an easier way do resolve which password rules I need to use if Sam wants to change their password.

    Expand Post

  • b5n6c (b5n6c)

    @DerickK.08586 (Customer)​ , Thanks for the clarity, I think you should use 4 dedicated groups to apply the password policy.,which will be much simpler solution.

This question is closed.
Loading
Retrieving the Password Policy for a User via APIs