users
Creates, updates, deletes, gets or lists a users resource.
Overview
| Name | users |
| Type | Resource |
| Id | okta.groups.users |
Fields
The following fields are returned by SELECT queries:
- list_group_users
| Name | Datatype | Description |
|---|---|---|
id | string | The unique key for the user |
_embedded | object | Embedded resources related to the user using the JSON Hypertext Application Language specification |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
activated | string (date-time) | The timestamp when the user status transitioned to ACTIVE |
created | string (date-time) | The timestamp when the user was created |
credentials | object | Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. |
lastLogin | string (date-time) | The timestamp of the last login |
lastUpdated | string (date-time) | The timestamp when the user was last updated |
passwordChanged | string (date-time) | The timestamp when the user's password was last updated |
profile | object | Specifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the firstName and lastName properties are nullable, and specify a pattern for login. You can use the Profile Editor in the Admin Console or the Schemas API to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting. |
realmId | string | The ID of the realm in which the user is residing. See Realms. (example: guo1bfiNtSnZYILxO0g4) |
status | string | The current status of the user. The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user. |
statusChanged | string (date-time) | The timestamp when the status of the user last changed |
transitioningToStatus | string | The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. |
type | object | The user type that determines the schema for the user's profile. The type property is a map that identifies the User Types. Currently it contains a single element, id. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_group_users | select | subdomain | after, limit | Lists all users that are a member of a group. The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now limit=200. |
assign_user_to_group | replace | subdomain | Assigns a user to a group with the OKTA_GROUP type.> Note: You only can modify memberships for groups of the OKTA_GROUP type. App imports are responsible for managing group memberships for groups of the APP_GROUP type, such as Active Directory groups. | |
unassign_user_from_group | delete | subdomain | Unassigns a user from a group with the OKTA_GROUP type.> Note: You only can modify memberships for groups of the OKTA_GROUP type.> > App imports are responsible for managing group memberships for groups of the APP_GROUP type, such as Active Directory groups. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string | The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the Link response header. See Pagination. |
limit | integer (int32) | Specifies the number of user results in a page |
SELECT examples
- list_group_users
Lists all users that are a member of a group.
The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now limit=200.
SELECT
id,
_embedded,
_links,
activated,
created,
credentials,
lastLogin,
lastUpdated,
passwordChanged,
profile,
realmId,
status,
statusChanged,
transitioningToStatus,
type
FROM okta.groups.users
WHERE subdomain = '{{ subdomain }}' -- required
AND after = '{{ after }}'
AND limit = '{{ limit }}';
REPLACE examples
- assign_user_to_group
Assigns a user to a group with the OKTA_GROUP type.
> Note: You only can modify memberships for groups of the OKTA_GROUP type. App imports are responsible for managing group memberships for groups of the APP_GROUP type, such as Active Directory groups.
REPLACE okta.groups.users
SET
-- No updatable properties
WHERE
subdomain = '{{ subdomain }}' --required;
DELETE examples
- unassign_user_from_group
Unassigns a user from a group with the OKTA_GROUP type.
> Note: You only can modify memberships for groups of the OKTA_GROUP type.
>
> App imports are responsible for managing group memberships for groups of the APP_GROUP type, such as Active Directory groups.
DELETE FROM okta.groups.users
WHERE subdomain = '{{ subdomain }}' --required;