Last active
November 3, 2021 19:32
-
-
Save phi1ipp/2e522a9130ea21d97c1e9e32a67071de to your computer and use it in GitHub Desktop.
How to get Okta Admin groups with their privileges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function loop(after) { | |
setTimeout(() => { | |
let url = ''; | |
if (after) | |
url = 'https://' + domain + '/api/internal/administrators?after=' + after + '&filter=SuperOrgAdmin%2COrgAdmin%2CAppAdmin%2CUserAdmin%2CHelpDeskAdmin%2CReadOnlyAdmin%2CApiAccessManagementAdmin%2CReportAdmin%2CGroupMembershipAdmin&type=group&limit=100&expand=user%2Capps%2Cinstances%2CappAndInstances%2CuserAdminGroups%2ChelpDeskAdminGroups%2CgroupMembershipAdminGroups' | |
else | |
url = 'https://' + domain + '/api/internal/administrators?filter=SuperOrgAdmin%2COrgAdmin%2CAppAdmin%2CUserAdmin%2CHelpDeskAdmin%2CReadOnlyAdmin%2CApiAccessManagementAdmin%2CReportAdmin%2CGroupMembershipAdmin&type=group&limit=100&expand=user%2Capps%2Cinstances%2CappAndInstances%2CuserAdminGroups%2ChelpDeskAdminGroups%2CgroupMembershipAdminGroups' | |
fetch(url) | |
.then(resp => resp.json()) | |
.then(data => { | |
console.log(data); // just for visual progress tracking | |
aaData = aaData.concat(data); | |
const last = data[data.length - 1] | |
if (aaData.length < upper) | |
loop(last.groupId) | |
}) | |
}, timeout) | |
} | |
var domain = 'your-tenant-admin.okta.com'; | |
var timeout = 1000; //once per second | |
var upper = 100; //upper amount of admin groups | |
var aaData = [] | |
loop(null) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aaData.forEach(ar => { | |
const grpName = ar._embedded.group.name | |
const perms = | |
Object.keys(ar) | |
.filter(key => typeof ar[key] === 'boolean' && ar[key]) | |
.map(key => { | |
if (key === 'appAdmin') | |
return `${key} (${ar._embedded.instances?.map(inst => inst.displayName).join(';')})` | |
else if (key === 'helpDeskAdmin') | |
return `${key} (${ar._embedded.helpDeskAdminGroups.map(gr => gr.profile.name).join(';')})` | |
else if (key === 'groupMembershipAdmin') | |
return `${key} (${ar._embedded.groupMembershipAdminGroups.map(gr => gr.profile.name).join(';')})` | |
else if (key === 'userAdmin') | |
return `${key} (${ar._embedded.userAdminGroups.map(gr => gr.profile.name).join(';')})` | |
else | |
return key | |
}) | |
console.log(grpName, '=====>', perms.join('--')) | |
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run
capture_groups.js
inside the browser console to collect the data. You need to adjust your okta admin URL and approximate amount of groups with admin privs (if you set it higher, no biggie, but you'll see some error messages). I do one request per second (timeout
variable) to avoid hitting endpoint threshold (I checked and in my org it's 1000 per minute). At the end all data will be sitting inaaData
array.Second script
report.js
is to process the array and print the result in the console.