Okta

This documentation for the Okta integration describes the technical capabilities of this integration, including authorization, scopes/permissions, and utilized endpoints. For more information on how to integrate Okta, visit our connection instructions.

Version

This integration utilizes the Okta Developer API v1.

Base URL

The base URL used for all Okta API endpoints contains the Organization domain (tenant) and API Version:

https://domain/api/api_version/

---

Authentication & Authorization

The DataGrail Okta integration connects using token authentication which requires an API Token.

Sensitive Credentials

Publicly exposing your API credentials can allow unauthorized access to Okta API endpoints by a third party. DataGrail stores your API credentials encrypted and protected.

Scopes

The Okta integration requires specific scopes that must be granted in order to function for a given capability.

Scope	Access	Deletion	System Detection
Read Only Administrator	✅		✅
Super Administrator		✅

Endpoints Utilized

DataGrail uses the following endpoints to authorize and test the connection:

Method	Endpoint	Purpose	Docs
GET	/users/me	Check successful connection

---

Limits

Limits in Okta are calculated using the leaky bucket algorithm. All requests that are made after rate limits have been exceeded are throttled and an HTTP 429 Too Many Requests error is returned. Requests succeed again after enough requests have emptied out of the bucket.

• DataGrail supports requests throttling to stay within 70-80% of specified service rate limits.
• DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

---

Capabilities

Access

DataGrail's Okta integration provides Synchronous Access capabilities for the following supported identifier category: Email.

Data Interactions

For Access requests, DataGrail will take the following actions:

1. Search for a User whose primary email, secondary email, or first name matches the Data Subject email.
2. If a match is found, DataGrail will return all available fields.

Endpoints Utilized

Method	Endpoint	Purpose	Docs
GET	/users	Search user by email

---

Deletion

DataGrail's Okta integration provides Synchronous Deletion capabilities for the following supported identifier category: Email.

Data Interactions

For Deletion requests, DataGrail will take the following actions:

1. Check if the Admin User who created the API token has the required ADMINS_CAN_DELETE permission.
2. Deactivate the User if the Admin User has required permissions.
3. Delete the User and ensure data associated with this email will be removed from the Okta project and prevent future data collection.

Endpoints Utilized

Method	Endpoint	Purpose	Docs
DEL	/users	Delete user by ID
GET	/users/lifecycle/deactivate	Deactivate the user
GET	/users/roles	Verify if user can be deleted

---

System Detection

DataGrail provides continuous system detection, delivering a real-time inventory of your data assets.

Data Interactions

DataGrail's System Detection process runs once daily and performs the following actions:

• Read Apps to detect new systems added to your organization.

Endpoints Utilized

Method	Endpoint	Purpose	Docs
GET	/apps	Read apps

---