role_assignment_users
Creates, updates, deletes, gets or lists a role_assignment_users resource.
Overview
| Name | role_assignment_users |
| Type | Resource |
| Id | okta.users.role_assignment_users |
Fields
The following fields are returned by SELECT queries:
- list_assigned_roles_for_user
- get_user_assigned_role
| Name | Datatype | Description |
|---|
| Name | Datatype | Description |
|---|
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_assigned_roles_for_user | select | subdomain | expand | Lists all roles assigned to a user (identified by userId) |
get_user_assigned_role | select | subdomain | Retrieves a role assigned to a user (identified by userId). The roleAssignmentId parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object. | |
assign_role_to_user | insert | subdomain | disableNotifications | Assigns a standard role to a user. You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See Create a role resource set binding. > Notes: > * The request payload is different for standard and custom role assignments. > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. |
unassign_role_from_user | delete | subdomain | Unassigns a role assignment (identified by roleAssignmentId) from a user (identified by userId) | |
assign_all_apps_as_target_to_role_for_user | exec | subdomain | Assigns all apps as target to an APP_ADMIN role | |
assign_app_target_to_admin_role_for_user | exec | subdomain | Assigns an OIN app target for an APP_ADMIN role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment.The role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app. For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with facebook for appName makes that user the admin for all Facebook instances. | |
assign_app_instance_target_to_app_admin_role_for_user | exec | subdomain | Assigns an app instance target to an APP_ADMIN role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment.The role no longer applies to all app targets, but applies only to the specified target. > Note: You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app. > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
disableNotifications | boolean | Setting this to true grants the user third-party admin status |
expand | string | An optional parameter used to return targets configured for the standard role assignment in the embedded property. Supported values: targets/groups or targets/catalog/apps |
SELECT examples
- list_assigned_roles_for_user
- get_user_assigned_role
Lists all roles assigned to a user (identified by userId)
SELECT
*
FROM okta.users.role_assignment_users
WHERE subdomain = '{{ subdomain }}' -- required
AND expand = '{{ expand }}';
Retrieves a role assigned to a user (identified by userId). The roleAssignmentId parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object.
SELECT
*
FROM okta.users.role_assignment_users
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- assign_role_to_user
- Manifest
Assigns a standard role to a user.
You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See Create a role resource set binding.
> Notes:
> * The request payload is different for standard and custom role assignments.
> * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response.
INSERT INTO okta.users.role_assignment_users (
subdomain,
disableNotifications
)
SELECT
'{{ subdomain }}',
'{{ disableNotifications }}'
;
# Description fields are for documentation purposes
- name: role_assignment_users
props:
- name: subdomain
value: string
description: Required parameter for the role_assignment_users resource.
- name: disableNotifications
value: boolean
description: Setting this to `true` grants the user third-party admin status
DELETE examples
- unassign_role_from_user
Unassigns a role assignment (identified by roleAssignmentId) from a user (identified by userId)
DELETE FROM okta.users.role_assignment_users
WHERE subdomain = '{{ subdomain }}' --required;
Lifecycle Methods
- assign_all_apps_as_target_to_role_for_user
- assign_app_target_to_admin_role_for_user
- assign_app_instance_target_to_app_admin_role_for_user
Assigns all apps as target to an APP_ADMIN role
EXEC okta.users.role_assignment_users.assign_all_apps_as_target_to_role_for_user
@subdomain='{{ subdomain }}' --required;
Assigns an OIN app target for an APP_ADMIN role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment.
The role no longer applies to all app targets, but applies only to the specified target.
Assigning an OIN app target overrides any existing app instance targets of the OIN app.
For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with facebook for appName makes that user the admin for all Facebook instances.
EXEC okta.users.role_assignment_users.assign_app_target_to_admin_role_for_user
@subdomain='{{ subdomain }}' --required;
Assigns an app instance target to an APP_ADMIN role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment.
The role no longer applies to all app targets, but applies only to the specified target.
> Note: You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app.
> For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app.
EXEC okta.users.role_assignment_users.assign_app_instance_target_to_app_admin_role_for_user
@subdomain='{{ subdomain }}' --required;