Okta — ARX Docs

Overview¶

The Okta connector integrates with the Okta Management API to provide full identity lifecycle management. It supports 30 operations across 7 API families: Users, Groups, Applications, Authorization Servers, System Log, Domains, and Policies.

All operations are policy-evaluated and audit-logged through the ARX BaseConnector.execute() pipeline before reaching the Okta API.

Connector class: OktaConnector Module: app.connectors.okta

Prerequisites¶

Requirement	Details
Okta org	An Okta tenant (e.g. `https://yourorg.okta.com`)
API token	SSWS API token generated from Security > API > Tokens in the Okta admin console
Vault path	Store credentials as `domain` and `api_token` in the ARX vault

Required Vault Credentials¶

{
  "domain": "https://yourorg.okta.com",
  "api_token": "00ab1cdef..."
}

SDK Usage¶

from app.connectors.okta import OktaConnector

okta = OktaConnector(agent_id="agent-001", org_id="org-acme")

# List users matching an email
users = await okta.list_users(search='profile.email eq "jdoe@acme.com"')

# Get a single user by ID
user = await okta.get_user("00u1a2b3c4d5e6f7g8")

# Create a user
new_user = await okta.create_user(
    first_name="Jane",
    last_name="Doe",
    email="jane.doe@acme.com",
)

# Suspend a user (HIGH risk -- requires policy approval)
await okta.suspend_user("00u1a2b3c4d5e6f7g8")

# List groups and members
groups = await okta.list_groups(search="Engineering")
members = await okta.get_group_members("0gra1b2c3d4e5f6g7")

# Query system logs
logs = await okta.get_logs(since="2025-01-01T00:00:00Z", filter='eventType eq "user.session.start"')

Operations¶

Users (12 operations)¶

Operation	Method	Path	Risk	Description
`users:read`	GET	`/api/v1/users`	LOW	List or search users
`users:read_detail`	GET	`/api/v1/users/{userId}`	LOW	Get user details by user ID
`users:create`	POST	`/api/v1/users`	MEDIUM	Create a new user
`users:update`	PUT	`/api/v1/users/{userId}`	MEDIUM	Update a user profile
`users:deactivate`	POST	`/api/v1/users/{userId}/lifecycle/deactivate`	HIGH	Deactivate a user -- disables login
`users:activate`	POST	`/api/v1/users/{userId}/lifecycle/activate`	MEDIUM	Activate a user
`users:suspend`	POST	`/api/v1/users/{userId}/lifecycle/suspend`	HIGH	Suspend a user -- temporarily disables login
`users:unsuspend`	POST	`/api/v1/users/{userId}/lifecycle/unsuspend`	MEDIUM	Unsuspend a user
`users:reset_password`	POST	`/api/v1/users/{userId}/lifecycle/reset_password`	HIGH	Reset a user's password
`users:clear_sessions`	DELETE	`/api/v1/users/{userId}/sessions`	CRITICAL	Revoke all active sessions for a user
`users:read_factors`	GET	`/api/v1/users/{userId}/factors`	LOW	List enrolled MFA factors for a user
`users:read_apps`	GET	`/api/v1/users/{userId}/appLinks`	LOW	List application links assigned to a user

Groups (8 operations)¶

Operation	Method	Path	Risk	Description
`groups:read`	GET	`/api/v1/groups`	LOW	List or search groups
`groups:read_detail`	GET	`/api/v1/groups/{groupId}`	LOW	Get group details by group ID
`groups:create`	POST	`/api/v1/groups`	MEDIUM	Create a new group
`groups:update`	PUT	`/api/v1/groups/{groupId}`	MEDIUM	Update a group
`groups:delete`	DELETE	`/api/v1/groups/{groupId}`	HIGH	Delete a group
`groups:read_members`	GET	`/api/v1/groups/{groupId}/users`	LOW	List members of a group
`groups:add_member`	PUT	`/api/v1/groups/{groupId}/users/{userId}`	MEDIUM	Add a user to a group
`groups:remove_member`	DELETE	`/api/v1/groups/{groupId}/users/{userId}`	MEDIUM	Remove a user from a group

Applications (4 operations)¶

Operation	Method	Path	Risk	Description
`apps:read`	GET	`/api/v1/apps`	LOW	List applications
`apps:read_detail`	GET	`/api/v1/apps/{appId}`	LOW	Get application details by app ID
`apps:assign_user`	PUT	`/api/v1/apps/{appId}/users/{userId}`	MEDIUM	Assign a user to an application
`apps:remove_user`	DELETE	`/api/v1/apps/{appId}/users/{userId}`	MEDIUM	Remove a user from an application

Authorization Servers (2 operations)¶

Operation	Method	Path	Risk	Description
`authz:read`	GET	`/api/v1/authorizationServers`	LOW	List authorization servers
`authz:read_policies`	GET	`/api/v1/authorizationServers/{authServerId}/policies`	LOW	List policies for an authorization server

System Log (1 operation)¶

Operation	Method	Path	Risk	Description
`logs:read`	GET	`/api/v1/logs`	LOW	Query system log events

Domains (1 operation)¶

Operation	Method	Path	Risk	Description
`domains:read`	GET	`/api/v1/domains`	LOW	List verified custom domains

Policies (2 operations)¶

Operation	Method	Path	Risk	Description
`policies:read`	GET	`/api/v1/policies`	LOW	List policies
`policies:read_rules`	GET	`/api/v1/policies/{policyId}/rules`	LOW	List rules for a policy

Risk Classifications¶

Level	Operations	Rationale
LOW	All read operations, log queries, factor/app listing	No state changes; safe for autonomous execution
MEDIUM	Create/update users and groups, activate, unsuspend, assign/remove app users, add/remove group members	Modifies state but is reversible or low-blast-radius
HIGH	`users:deactivate`, `users:suspend`, `users:reset_password`, `groups:delete`	Disables user access or removes groups; may require HITL approval
CRITICAL	`users:clear_sessions`	Immediately revokes all active authentication state for a user; always requires approval

Policy Examples¶

Allow read-only Okta access for SOC agents¶

- name: okta-readonly-soc
  connector: okta
  operations:
    - "users:read*"
    - "groups:read*"
    - "apps:read*"
    - "authz:read*"
    - "logs:read"
    - "domains:read"
    - "policies:read*"
  risk_max: low
  approval: none

Allow user lifecycle management with approval for HIGH actions¶

- name: okta-user-lifecycle
  connector: okta
  operations:
    - "users:*"
  risk_max: high
  approval:
    medium: auto
    high: hitl
    critical: hitl
  hitl_channel: "#sec-approvals"

Block all destructive operations¶

- name: okta-no-destructive
  connector: okta
  deny:
    - "users:deactivate"
    - "users:suspend"
    - "users:clear_sessions"
    - "users:reset_password"
    - "groups:delete"