Skip to main content
Unlisted page
This page is unlisted. Search engines will not index it, and only users having a direct link can access it.

Okta

Authentication & Authorization

Credentials

  • Okta connects via the custom HTTP authentication scheme SSWS for authentication. All requests provide a valid API key specified in the HTTP Authorization header with the SSWS scheme.

  • The API key (API token) can be generated in the Okta API configuration under Admin User (see DataGrail Help Docs).

  • Publicly exposing your API credentials can allow unauthorized access to the Okta API endpoints, and your Okta data by a third party. DataGrail stores your API credentials encrypted and protected.

Permissions

Different Okta API operations require different admin privilege levels. API tokens inherit the privilege level of the admin account that is used to create them. Okta Admin User who created the API key (API token) should be granted “Super Administrator” or “Read Only Administrator” roles (see DataGrail Help Docs).

If you select the “Read Only Administrator” role, DataGrail integration will not perform requests for deletion of your Okta users.

Base URL

All requested URLs should be preceded with your organization's domain (tenant) and API version: https://{DOMAIN}/api/{API_VERSION}/

Organization's domain (tenant) can be obtained from your Okta API configuration (see DataGrail Help Docs).

Endpoints Utilized

DataGrail uses the following endpoint to verify API connection:

  • GET https://{DOMAIN}/api/v1/users/me

Version

Okta integration currently supports version 1 (v1).

Limits

  • DataGrail implements rate limits with rate limit headers accordingly to Okta's best practices

  • DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

For an access request, DataGrail will take the following actions:

  • DataGrail searches for a User whose primary email, secondary email or first name matches the email from the Data Subject provided in the request.

  • For all objects found, DataGrail will return all available fields. You can edit which objects and fields you want to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

  • GET https://{DOMAIN}/api/v1/users

Deletion

For a deletion request, DataGrail will take the following actions:

  • Check if the Admin User who created the API key (API token) has required “ADMINS_CAN_DELETE” permission.

  • Deactivate user if Admin User has required permissions.

  • Once the user is deactivated – delete user via synchronous deletion API call

  • Once deletion is requested, data associated with this email will be removed from the Okta project and prevent future data collection about them.

Endpoints Utilized

  • GET https://{DOMAIN}/api/v1/users/{ADMIN_ID}/roles

  • GET https://{DOMAIN}/api/v1/users/{USER_ID}/lifecycle/deactivate

  • DELETE https://{DOMAIN}/api/v1/users/{USER_ID}

System Detection

DataGrail provides continuous system detection, delivering a real-time inventory of your data assets. For data discovery requests, DataGrail reads apps to detect new systems added to your organization.

Endpoints Utilized

  • GET https://{DOMAIN}/api/v1/apps

 

Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.