Skip to content

Okta Custom SailPoint Entro Role

Create a least-privilege custom role for permission listing capabilities

Here are the key features a Least-Privilege custom role should support:

  • User Enumeration (employees, iDP profiles)

  • Application Enumeration

  • Log Collection

  • Role Assignment to Users and Apps

Limitations Without "Super Administrator"

  • API Permissions Grants per App

Role Creation Steps in Okta

  1. Go to Security > Administrators > Roles in the Okta Admin Console.

  2. Click on Create New Role.

  3. Enter the following details:

    • Role Name: SailPoint Entro Role

    • Role Description: Integration app for securing users, apps, permissions, and log collection

  4. Select the following permissions

    1. Users

      • View users' profile attributes

      • View users and their details

      • View API tokens

    2. Group

      • View groups and their details Identity and Access Management
    3. Identity and Access Management

      • View roles, resources, and admin assignments Application
    4. Application

      • View application and their details

      • View client credentials

  5. Then, click on Save role

  6. Within 'Resources' tab, click on 'Create new resource set'

  7. Name it "Entro Resource Set", and in the Description, type: "Apps, Users, Groups"

  8. Click on "+ Add resource" and select the following options:

    1. Applications > All applications - This resource is needed to observe all apps and their client secrets

    2. Identity and Access Management > All Identity and Access Management resources - This resource is needed to read all permissions, resource set info per users and apps

    3. Users > All users - This resource is needed to enumerate all users within Okta for Owner attribution and employee/IdP information

    4. Groups > All groups [optional - future] - Will be needed once SailPoint Entro covers group membership

  9. Once all added, click on Create

  10. Assign the new Admin role on SailPoint Entro's application, and select the Entro resource set

  11. To enable audit log collection, assigning the "Report Administrator" role along with the custom role is necessary.