app_target_roles
Creates, updates, deletes, gets or lists an app_target_roles resource.
Overview
| Name | app_target_roles |
| Type | Resource |
| Id | okta.oauth2.app_target_roles |
Fields
The following fields are returned by SELECT queries:
- list_app_target_role_to_client
| Name | Datatype | Description |
|---|---|---|
id | string | ID of the app instance. Okta returns this property only for apps not in the OIN catalog. |
name | string | App key name. For OIN catalog apps, this is a unique key for the app definition. |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification |
category | string | Category for the app in the OIN catalog (example: SOCIAL) |
description | string | Description of the app in the OIN catalog |
displayName | string | OIN catalog app display name |
features | array | Features supported by the app. See app features. |
lastUpdated | string (date-time) | Timestamp when the object was last updated (example: 2024-09-19T23:37:37.000Z) |
signOnModes | array | Authentication mode for the app. See app signOnMode. |
status | string | App status |
verificationStatus | string | OIN verification status of the catalog app (example: OKTA_VERIFIED) |
website | string | Website of the OIN catalog app |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_app_target_role_to_client | select | subdomain | after, limit | Lists all OIN app targets for an APP_ADMIN role that's assigned to a client (by clientId). |
assign_app_target_role_to_client | replace | subdomain | Assigns an OIN app target for an APP_ADMIN role assignment to a client. When you assign an app target from the OIN catalog, you reduce the scope of the role assignment.The role assignment applies to only app instances that are included in the specified OIN app target. An assigned OIN app target overrides any existing app instance targets. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with facebook for appName makes that user the administrator for all Facebook instances. | |
remove_app_target_role_from_client | delete | subdomain | Unassigns an OIN app target for a role assignment to a client app > Note: You can't remove the last OIN app target from a role assignment. > If you need a role assignment that applies to all apps, delete the role assignment with the target and create another one. See Unassign a client role. | |
remove_app_target_instance_role_for_client | delete | subdomain | Unassigns an app instance target from a role assignment to a client app > Note: You can't remove the last app instance target from a role assignment. > If you need a role assignment that applies to all the apps, delete the role assignment with the instance target and create another one. See Unassign a client role. | |
assign_app_target_instance_role_for_client | exec | subdomain | Assigns an app instance target to an APP_ADMIN role assignment to a client. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment.The role no longer applies to all app targets, but applies only to the specified target. > Note: You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string | The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the Link response header. See Pagination. |
limit | integer | A limit on the number of objects to return |
SELECT examples
- list_app_target_role_to_client
Lists all OIN app targets for an APP_ADMIN role that's assigned to a client (by clientId).
SELECT
id,
name,
_links,
category,
description,
displayName,
features,
lastUpdated,
signOnModes,
status,
verificationStatus,
website
FROM okta.oauth2.app_target_roles
WHERE subdomain = '{{ subdomain }}' -- required
AND after = '{{ after }}'
AND limit = '{{ limit }}'
;
REPLACE examples
- assign_app_target_role_to_client
Assigns an OIN app target for an APP_ADMIN role assignment to a client. When you assign an app target from the OIN catalog, you reduce the scope of the role assignment.
The role assignment applies to only app instances that are included in the specified OIN app target.
An assigned OIN app target overrides any existing app instance targets.
For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with facebook for appName makes that user the administrator for all Facebook instances.
REPLACE okta.oauth2.app_target_roles
SET
-- No updatable properties
WHERE
subdomain = '{{ subdomain }}' --required
;
DELETE examples
- remove_app_target_role_from_client
- remove_app_target_instance_role_for_client
Unassigns an OIN app target for a role assignment to a client app
> Note: You can't remove the last OIN app target from a role assignment.
> If you need a role assignment that applies to all apps, delete the role assignment with the target and create another one. See Unassign a client role.
DELETE FROM okta.oauth2.app_target_roles
WHERE subdomain = '{{ subdomain }}' --required
;
Unassigns an app instance target from a role assignment to a client app
> Note: You can't remove the last app instance target from a role assignment.
> If you need a role assignment that applies to all the apps, delete the role assignment with the instance target and create another one. See Unassign a client role.
DELETE FROM okta.oauth2.app_target_roles
WHERE subdomain = '{{ subdomain }}' --required
;
Lifecycle Methods
- assign_app_target_instance_role_for_client
Assigns an app instance target to an APP_ADMIN role assignment to a client. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment.
The role no longer applies to all app targets, but applies only to the specified target.
> Note: You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app.
For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app.
EXEC okta.oauth2.app_target_roles.assign_app_target_instance_role_for_client
@subdomain='{{ subdomain }}' --required
;