Last active
November 3, 2021 19:32
-
-
Save phi1ipp/2e522a9130ea21d97c1e9e32a67071de to your computer and use it in GitHub Desktop.
How to get Okta Admin groups with their privileges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function loop(after) { | |
| setTimeout(() => { | |
| let url = ''; | |
| if (after) | |
| url = 'https://' + domain + '/api/internal/administrators?after=' + after + '&filter=SuperOrgAdmin%2COrgAdmin%2CAppAdmin%2CUserAdmin%2CHelpDeskAdmin%2CReadOnlyAdmin%2CApiAccessManagementAdmin%2CReportAdmin%2CGroupMembershipAdmin&type=group&limit=100&expand=user%2Capps%2Cinstances%2CappAndInstances%2CuserAdminGroups%2ChelpDeskAdminGroups%2CgroupMembershipAdminGroups' | |
| else | |
| url = 'https://' + domain + '/api/internal/administrators?filter=SuperOrgAdmin%2COrgAdmin%2CAppAdmin%2CUserAdmin%2CHelpDeskAdmin%2CReadOnlyAdmin%2CApiAccessManagementAdmin%2CReportAdmin%2CGroupMembershipAdmin&type=group&limit=100&expand=user%2Capps%2Cinstances%2CappAndInstances%2CuserAdminGroups%2ChelpDeskAdminGroups%2CgroupMembershipAdminGroups' | |
| fetch(url) | |
| .then(resp => resp.json()) | |
| .then(data => { | |
| console.log(data); // just for visual progress tracking | |
| aaData = aaData.concat(data); | |
| const last = data[data.length - 1] | |
| if (aaData.length < upper) | |
| loop(last.groupId) | |
| }) | |
| }, timeout) | |
| } | |
| var domain = 'your-tenant-admin.okta.com'; | |
| var timeout = 1000; //once per second | |
| var upper = 100; //upper amount of admin groups | |
| var aaData = [] | |
| loop(null) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aaData.forEach(ar => { | |
| const grpName = ar._embedded.group.name | |
| const perms = | |
| Object.keys(ar) | |
| .filter(key => typeof ar[key] === 'boolean' && ar[key]) | |
| .map(key => { | |
| if (key === 'appAdmin') | |
| return `${key} (${ar._embedded.instances?.map(inst => inst.displayName).join(';')})` | |
| else if (key === 'helpDeskAdmin') | |
| return `${key} (${ar._embedded.helpDeskAdminGroups.map(gr => gr.profile.name).join(';')})` | |
| else if (key === 'groupMembershipAdmin') | |
| return `${key} (${ar._embedded.groupMembershipAdminGroups.map(gr => gr.profile.name).join(';')})` | |
| else if (key === 'userAdmin') | |
| return `${key} (${ar._embedded.userAdminGroups.map(gr => gr.profile.name).join(';')})` | |
| else | |
| return key | |
| }) | |
| console.log(grpName, '=====>', perms.join('--')) | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run
capture_groups.jsinside the browser console to collect the data. You need to adjust your okta admin URL and approximate amount of groups with admin privs (if you set it higher, no biggie, but you'll see some error messages). I do one request per second (timeoutvariable) to avoid hitting endpoint threshold (I checked and in my org it's 1000 per minute). At the end all data will be sitting inaaDataarray.Second script
report.jsis to process the array and print the result in the console.