Okta Custom SailPoint Entro Role
Create a least-privilege custom role for permission listing capabilities
Here are the key features a Least-Privilege custom role should support:
-
User Enumeration (employees, iDP profiles)
-
Application Enumeration
-
Log Collection
-
Role Assignment to Users and Apps
Limitations Without "Super Administrator"
- API Permissions Grants per App
Role Creation Steps in Okta
-
Go to Security > Administrators > Roles in the Okta Admin Console.

-
Click on Create New Role.
-
Enter the following details:
-
Role Name: SailPoint Entro Role
-
Role Description: Integration app for securing users, apps, permissions, and log collection
-
-
Select the following permissions
-
Users
-
View users' profile attributes
-
View users and their details
-
View API tokens
-
-
Group
- View groups and their details Identity and Access Management
-
Identity and Access Management
- View roles, resources, and admin assignments Application
-
Application
-
View application and their details
-
View client credentials
-
-
-
Then, click on Save role

-
Within 'Resources' tab, click on 'Create new resource set'
-
Name it "Entro Resource Set", and in the Description, type: "Apps, Users, Groups"
-
Click on "+ Add resource" and select the following options:
-
Applications > All applications - This resource is needed to observe all apps and their client secrets
-
Identity and Access Management > All Identity and Access Management resources - This resource is needed to read all permissions, resource set info per users and apps
-
Users > All users - This resource is needed to enumerate all users within Okta for Owner attribution and employee/IdP information
-
Groups > All groups [optional - future] - Will be needed once SailPoint Entro covers group membership
-
-
Once all added, click on Create

-
Assign the new Admin role on SailPoint Entro's application, and select the Entro resource set


-
To enable audit log collection, assigning the "Report Administrator" role along with the custom role is necessary.
