Prerequisite
Ensure that you have connected Okta as an identity provider first. To learn more, refer to the Connecting Okta to Drata article.
The account granting Drata an API key must have specific permissions, which can be configured by creating a custom admin role in Okta.
To learn how to do this, refer to the Create custom administrator role and API token section within this help article.
Verify which apps Okta can integrate with. To learn more about Okta provision supported apps, refer to Okta integration network.
Okta provides user attribute data based on how SSO apps are set up in Okta and might not be applicable for certain applications.
If your IT team has chosen to provision access outside of Okta (most likely directly in the source application), You can manually upload or rely on future direct connections.
Create custom administrator role and API token
Create custom administrator role:
A Super Admin is required to create the custom administrator role. We will not use a Super Admin API key to set up the integration; instead, we will use the custom administrator role with the correct permissions.
Log in to Okta as a Super Administrator.
Navigate to Security > Administrators > Roles, and select Create new role in the top right.
Enter the role name and description.
Select Add Permissions and select View roles, resources, and admin assignments permission.
Save the role.
Create a resource set:
Okta’s custom roles must be scoped to a resource set. A resource set defines what the role we created can access using its permissions.
Go to Security > Administrators > Resource.
Select Create new resource set.
Enter the resource name and description.
Select Add Resource and select the Identity and Access Management resource and All Identity and Access Management resources.
This resource set grants access to all roles/resources and admin assignments within the organization.
Save the selection and resource
Assign the custom admin to the Drata service account to generate the API token:
You’re now ready to assign administrator rights to a newly created service account.
Create a new account and assign the Read-only Administrator role, custom admin role, and resource set.
Generate the API key. The service account now has the necessary permissions to utilize Drata's user access review feature.
To generate the key, log in to the service account created in the previous steps, which has both the read-only administrator role, the custom admin role, and resource set.
Create an API token by going to Security > API > Token > Create Token.
Enable Okta as UAR
Select "Connections" on the side navigation menu.
Select the Available connections tab and then search for Okta to select the connect button for the Okta integration.
Ensure to select the Okta under the User access review section.
Follow the instructions in the connection drawer carefully. Take your time and complete one step entirely before moving on to the next. Paste the required values in each field as indicated.
Additional resources