MatthewH.10249 (State of Iowa) asked a question.
I created an Event Hook "iam.resourceset.bindings.add" that calls a Workflow I created to onboard new admins. We have hundreds of apps per tenant and many times that number of groups. We typically assign App Admin and Group Membership Admin roles to one or 2 business/technical staff associated with each project so they can fine tune app configurations and deal with user assignments as needed. What I'm wanting to do is, when they get assigned an admin role, have an email sent to them with the roles they were granted along with a link to instructions on how to perform a common task for their role.
I have the Event Hook and Workflow running and things are working as I would expect with one exception. It appears that the "created date" for each admin role assigned is updated every time a change is made to any admin role for this user. So for example if User 1 was granted App Admin for App 1 on 2/1/2023 the created timestamp would show that at that moment but when any kind of change occurs related to any admin role for this user the created timestamp changes even when App Admin for App 1 role assignment was not touched.
Anyone else seeing the behavior? Am I understanding the following Event Type incorrectly? To me this reads it should only trigger on adds but it seems to be triggering on add, updates and deletes and changing the "created" timestamp on all assignments old and new.
https://developer.okta.com/docs/reference/api/event-types/*catalog
"iam.resourceset.bindings.add
Admin role assignment is created. This event can be used to track and audit when a new admin role assignment is created. When fired this event contains information about the new user or group admin assignments for roles associated with the resource set."
@MatthewH.10249 (State of Iowa)
you can try add a application administrator then check the system log:
eventType eq "user.account.privilege.grant"
debugContext.debugData.privilegeGranted eq "Application administrator"
Maybe you can try this condition.
Thanks for your feedback! I looked at the logs but it appears that (eventType eq "user.account.privilege.grant") pulls back all admin role transactions even for ones where an admin role was removed. In addition, it still appears that admin roles "created" timestamp get set to the current timestamp for all assigned roles regardless if they were added way in the past. I could somewhat understand the last updated timestamp changing on the older past assignments but I don't think the created timestamp should be changing.
I've opened an Okta support case (01660193) on this matter focusing on 2 issues. 1. Created timestamp changing on existing assigned roles. 2. Admin role deletes are triggering the Event Hook "iam.resourceset.bindings.add". I don't think it should but would expect that it would trigger "iam.resourceset.bindings.delete".
If someone is looking for security focused Okta Event Types to search on here is a nice little cheat sheet. https://github.com/OktaSecurityLabs/CheatSheets/blob/master/SecurityEvents.md
Here is a list of all Okta Event Types. https://developer.okta.com/docs/reference/api/event-types/#catalog
One correction, my Event Hook is not using "iam.resourceset.bindings.add" but rather "user.account.privilege.grant". All the issues I've previously described are still valid, just mentioned the wrong Event Type I'm using in my Event Hook.
You can try this condition