application_users
Creates, updates, deletes, gets or lists an application_users resource.
Overview
| Name | application_users |
| Type | Resource |
| Id | okta.apps.application_users |
Fields
The following fields are returned by SELECT queries:
- list_application_users
- get_application_user
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier for the Okta user (example: 00u11z6WHMYCGPCHCRFK) |
_embedded | object | Embedded resources related to the application user using the JSON Hypertext Application Language specification |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of resources related to the application user. |
created | string (date-time) | Timestamp when the object was created (example: 2017-03-28T01:11:10.000Z) |
credentials | object | Specifies a user's credentials for the app. This parameter can be omitted for apps with sign-on mode (signOnMode) or authentication schemes (credentials.scheme) that don't require credentials. |
externalId | string | The ID of the user in the target app that's linked to the Okta application user object. This value is the native app-specific identifier or primary key for the user in the target app. The externalId is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. (example: 70c14cc17d3745e8a9f98d599a68329c) |
lastSync | string (date-time) | Timestamp of the last synchronization operation. This value is only updated for apps with the IMPORT_PROFILE_UPDATES or PUSH PROFILE_UPDATES feature. (example: 2014-06-24T15:27:59.000Z) |
lastUpdated | string (date-time) | Timestamp when the object was last updated (example: 2014-06-24T15:28:14.000Z) |
passwordChanged | string (date-time) | Timestamp when the application user password was last changed (example: 2014-06-24T15:27:59.000Z) |
profile | object | Specifies the default and custom profile properties for a user. Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. Some properties are reference properties that are imported from the target app and can't be configured. See profile. |
scope | string | Indicates if the assignment is direct (USER) or by group membership (GROUP). (example: USER) |
status | string | Status of an application user (example: ACTIVE) |
statusChanged | string (date-time) | Timestamp when the application user status was last changed (example: 2014-06-24T15:28:14.000Z) |
syncState | string | The synchronization state for the application user. The application user's syncState depends on whether the PROFILE_MASTERING feature is enabled for the app. > Note: User provisioning currently must be configured through the Admin Console. (example: SYNCHRONIZED) |
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier for the Okta user (example: 00u11z6WHMYCGPCHCRFK) |
_embedded | object | Embedded resources related to the application user using the JSON Hypertext Application Language specification |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of resources related to the application user. |
created | string (date-time) | Timestamp when the object was created (example: 2017-03-28T01:11:10.000Z) |
credentials | object | Specifies a user's credentials for the app. This parameter can be omitted for apps with sign-on mode (signOnMode) or authentication schemes (credentials.scheme) that don't require credentials. |
externalId | string | The ID of the user in the target app that's linked to the Okta application user object. This value is the native app-specific identifier or primary key for the user in the target app. The externalId is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. (example: 70c14cc17d3745e8a9f98d599a68329c) |
lastSync | string (date-time) | Timestamp of the last synchronization operation. This value is only updated for apps with the IMPORT_PROFILE_UPDATES or PUSH PROFILE_UPDATES feature. (example: 2014-06-24T15:27:59.000Z) |
lastUpdated | string (date-time) | Timestamp when the object was last updated (example: 2014-06-24T15:28:14.000Z) |
passwordChanged | string (date-time) | Timestamp when the application user password was last changed (example: 2014-06-24T15:27:59.000Z) |
profile | object | Specifies the default and custom profile properties for a user. Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. Some properties are reference properties that are imported from the target app and can't be configured. See profile. |
scope | string | Indicates if the assignment is direct (USER) or by group membership (GROUP). (example: USER) |
status | string | Status of an application user (example: ACTIVE) |
statusChanged | string (date-time) | Timestamp when the application user status was last changed (example: 2014-06-24T15:28:14.000Z) |
syncState | string | The synchronization state for the application user. The application user's syncState depends on whether the PROFILE_MASTERING feature is enabled for the app. > Note: User provisioning currently must be configured through the Admin Console. (example: SYNCHRONIZED) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_application_users | select | subdomain | after, limit, q, expand | Lists all assigned users for an app |
get_application_user | select | subdomain | expand | Retrieves a specific user assignment for a specific app |
assign_user_to_application | insert | subdomain, data__id | Assigns a user to an app for: * SSO only<br> Assignments to SSO apps typically don't include a user profile. However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body. * SSO and provisioning<br> Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body. > Notes: > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings. > * Omit mapped properties during assignment to minimize assignment errors. | |
update_application_user | update | subdomain | Updates the profile or credentials of a user assigned to an app | |
unassign_user_from_application | delete | subdomain | sendEmail | Unassigns a user from an app For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory. If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password. > Important: This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string | Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination]https://developer.okta.com/docs/api#pagination. |
expand | string | An optional query parameter to return the corresponding User object in the _embedded property. Valid value: user |
limit | integer (int32) | Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a next link that you need to use as an opaque value (follow it, don't parse it). See [Pagination]https://developer.okta.com/docs/api#pagination. |
q | string | Specifies a filter for the list of application users returned based on their profile attributes. The value of q is matched against the beginning of the following profile attributes: userName, firstName, lastName, and email. This filter only supports the startsWith operation that matches the q string against the beginning of the attribute values. > Note: For OIDC apps, user profiles don't contain the firstName or lastName attributes. Therefore, the query only matches against the userName or email attributes. |
sendEmail | boolean | Sends a deactivation email to the administrator if true |
SELECT examples
- list_application_users
- get_application_user
Lists all assigned users for an app
SELECT
id,
_embedded,
_links,
created,
credentials,
externalId,
lastSync,
lastUpdated,
passwordChanged,
profile,
scope,
status,
statusChanged,
syncState
FROM okta.apps.application_users
WHERE subdomain = '{{ subdomain }}' -- required
AND after = '{{ after }}'
AND limit = '{{ limit }}'
AND q = '{{ q }}'
AND expand = '{{ expand }}';
Retrieves a specific user assignment for a specific app
SELECT
id,
_embedded,
_links,
created,
credentials,
externalId,
lastSync,
lastUpdated,
passwordChanged,
profile,
scope,
status,
statusChanged,
syncState
FROM okta.apps.application_users
WHERE subdomain = '{{ subdomain }}' -- required
AND expand = '{{ expand }}';
INSERT examples
- assign_user_to_application
- Manifest
Assigns a user to an app for:
* SSO only<br>
Assignments to SSO apps typically don't include a user profile.
However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body.
* SSO and provisioning<br>
Assignments to SSO and provisioning apps typically include credentials and an app-specific profile.
Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body.
> Notes:
> * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings.
> * Omit mapped properties during assignment to minimize assignment errors.
INSERT INTO okta.apps.application_users (
data__credentials,
data__id,
data__profile,
data__scope,
subdomain
)
SELECT
'{{ credentials }}',
'{{ id }}' --required,
'{{ profile }}',
'{{ scope }}',
'{{ subdomain }}'
RETURNING
id,
_embedded,
_links,
created,
credentials,
externalId,
lastSync,
lastUpdated,
passwordChanged,
profile,
scope,
status,
statusChanged,
syncState
;
# Description fields are for documentation purposes
- name: application_users
props:
- name: subdomain
value: string
description: Required parameter for the application_users resource.
- name: credentials
value: object
description: >
Specifies a user's credentials for the app.
This parameter can be omitted for apps with [sign-on mode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials.
- name: id
value: string
description: >
Unique identifier for the Okta user
- name: profile
value: object
description: >
Specifies the default and custom profile properties for a user.
Properties that are visible in the Admin Console for an app assignment can also be assigned through the API.
Some properties are reference properties that are imported from the target app and can't be configured.
See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response).
- name: scope
value: string
description: >
Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`).
valid_values: ['USER', 'GROUP']
UPDATE examples
- update_application_user
Updates the profile or credentials of a user assigned to an app
UPDATE okta.apps.application_users
SET
-- No updatable properties
WHERE
subdomain = '{{ subdomain }}' --required
RETURNING
id,
_embedded,
_links,
created,
credentials,
externalId,
lastSync,
lastUpdated,
passwordChanged,
profile,
scope,
status,
statusChanged,
syncState;
DELETE examples
- unassign_user_from_application
Unassigns a user from an app
For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory.
If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password.
> Important: This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app.
DELETE FROM okta.apps.application_users
WHERE subdomain = '{{ subdomain }}' --required
AND sendEmail = '{{ sendEmail }}';