Importing Entitlements for Disconnected Apps in OIG

IGA, OIG, OIG Access Requests, OIG Entitlement Management 6 Minutes

Okta recently introduced a new feature into Okta Identity Governance for importing users and entitlements for disconnected apps via a CSV import. This article explores the new feature.

Introduction

Okta has had the ability to import users via a CSV file for a long time. This has been an effective way to bulk load users without having to resort to programmatic means.

With the introduction of Entitlement Management with Okta Identity Governance (OIG), users can be associated with fine-grained app-level entitlements such as Roles and Licenses. Many of the Okta Integration Network apps have been extended to import entitlements and entitlement assignments.

But what about governance for disconnected apps, apps that aren’t defined in Okta? You can create these app definitions in Okta, but up to now you would need to manually assign users and their entitlements to them.

This new feature extends the existing Import from CSV functionality to include entitlements. An imported CSV file will be scanned to determine the complete set entitlements and values and create them against the application. Then it will consume all the user-entitlement assignments and define them in Okta. This means you can see which users are assigned to what assignments, and run access certification campaigns against those assignments (potentially highlighting entitlements to be manually removed in the app).

This article walks through the configuration, building and importing a CSV file, and running an access certification campaign against the entitlements.

Configuration

Let’s walk through the Okta configuration to consume a CSV file.

Step 0 – Enable the Feature

At the time of writing this article, this feature is in Early Access and needs to be enabled in the Settings > Features section of the Okta Admin Console.

Step 1 – Create New App Instance in Okta

You will need an app definition that supports provisioning to represent the disconnected app. See the list of Supported applications for Entitlement Management. You will want to create an app with one of the Template Apps, such as a SCIM app (it will be a dummy app, there is no provisioning plumbing connected to it).

For this example we created a SCIM 2.0 Test App (Basic Auth) with SWA for Sign on and no sign on URLs specified.

By default the app will have a single app user profile value – username (mapped to the Okta username).

Step 2 – Define additional app user profile attributes

Your app may have additional attributes you want to store in Okta and sync with Okta user profile values. You may want to use these values if creating a new user in Okta when you import the CSV. You may also want to use them to provide more information about the user, such as when reviewing access in Access Certification.

Use the Profile Editor to add attributes to the app user profile. In this example, we have added three: First Name, Last Name and email.

With the attributes defined, you can map them to the appropriate Okta User profile attributes.

Step 3 – Enable the Governance Engine (Identity Governance)

To allow visibility and management of app entitlements, the Governance Engine must be enabled for the disconnected app. This is done on the General tab of the app in the Identity Governance section.

It may take a few minutes for the Governance Engine to be enabled. Once this is done, you can start looking at the CSV file.

Importing a CSV File

To import a CSV you can download a template file with the required user attributes or build one from scratch, then import it and check the results. We will walk through the process using the downloaded template.

Step 1 – Download the CSV Template

A CSV Template is available with the app user profile attributes pre-populated. If you have set up the attributes as above, the following steps will have them as columns in the CSV.

Go to the app instance and the Import tab. Click on the Import from CSV button.

On the Import Users from CSV dialog, click the CSV Template link to download the CSV file.

You can Cancel the dialog and go edit the file, or leave it open to come back to.

Step 2 – Fill in the CSV File

If you open the downloaded template file, you will see that it contains a single row, the attributes to be populated.

Username,First Name,Last Name,email,ent_Entitlement1,ent_Entitlement2

There are three sets of values:

  • The Username,
  • The app user profile attributes you added in the Profile Editor (in or case First Name, Last Name and email), and
  • Two dummy entitlements, Entitlement1 and Entitlement2 (both prefixed with ent_)

See the User entitlement CSV guidelines for entering data into the file. Some key points:

  • All entitlements must be prefixed by ent_, so in the standard template you have two entitlements (Entitlement1 and Entitlement2)
  • Multiple values are entered in quotes
  • You can have null values by using ,, or ,"",

Also note that this mechanism only supports full imports. So your CSV file for a disconnected app is the master set of users and their entitlements.

The following CSV file was used. It contains two users and three entitlements (Role, Lic and Scope). Each entitlement could have multiple values.

Username,First Name,Last Name,email,ent_Role,ent_Lic,ent_Scope
paula.partner@atko.email,Paula,Partner,paula.partner@atko.email,"Admin","Publishing,Admin","Prod,QA,Dev"
peter.partner@atko.email,Peter,Partner,peter.partner@atko.email,"Editor,Writer","Publishing",Prod

Step 3 – Import the CSV File

Return to the Import Users from CSV dialog, enter the file name and click the Upload CSV button.

This will upload the file and perform a syntax check of the contents. You will get errors if the file is improperly formatted. Otherwise it will give you the results of the parsing.

Click the Import Users button. Once it has imported you are presented with the normal user match screen for an import. Review user mappings and select the users to import. Click the Confirm Assignments button to import the selected users. where you can define whether to match existing users in Okta.

The import process is now complete.

Viewing the Results of the Import

With the file successfully imported, you can confirm the upload. First you can go to the Governance tab for the disconnected app and look at the Entitlements.

In this example we have three entitlements Lic, Role and Scope (sorted alphabetically, not how they were in the file). And each has the values specified in the file.

As with any entitlements on apps, you could create Bundles for requesting access or policy for default assignment. But note that there is no plumbing behind the app instance to push any changes to the app (you could potentially build something with SCIM or Workflows).

Next if you return to the app and look at the Assignments, you will see the users from the file.

In this example you can see the two users from the import file – Paula Partner and Peter Partner. Selecting the more icon and selecting the View access details action will show the entitlements for this user.

In this example, Paula has two licenses (Admin and Publishing), one role (Admin) and three scopes (Dev, Prod and QA). This corresponds with entry in the file shown above.

Access Certification

With the entitlements assigned to users in the disconnected app, you can run access certification campaigns against them.

The campaign is a standard Resource Campaign for the disconnected app and all entitlements enabled.

Note that remediation is disabled for the review. You could set it to remove access when the reviewer clicks the revokes button, but as there’s no integration (plumbing) behind the app instance, it won’t make any changes to the target system. You could setup Workflows to react to the system log events to trigger a process to remove the access in the app and modify the import CSV.

The review is as for any resource with entitlements review. Clicking a row will open a slide-out window with more details including the entitlement and the other entitlements the user has for context.

As for every other campaign, the reviewer would progress through the reviews and approve, revoke or reassign them.

Conclusion

In this article we have explored the ability to import users and entitlements for disconnected apps into Okta via a CSV file. We have looked at the configuration of the app; how to download, fillout and import the CSV file; how to verify the import was successful; and how to run an access certification campaign against the disconnected app.

This mechanism greatly expands the reach of Okta Identity Governance. No longer are you limited to apps defined in Okta. You can run governance controls for disconnected apps and have a single place to audit activity.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

Leave a Reply