Attempting to switch Okta integration to read-only but experiencing errors in the “Okta Account Aggregation” task. Okta integration is facilitated via API token and SailPoint permissions were reduced to read-only on the Okta side.
Errors pertain to insufficient permissions which leads me to believe SailPoint is still attempting write/provisioning actions.
Error example:
Exception during aggregation of Object Type Account on Application Okta. Reason: Unable to create iterator sailpoint.connector.InsufficientPermissionException: [ InsufficientPermissionException ] [ Possible suggestions ] Furnish appropriate permission to the Okta API token owner. [ Error details ] Insufficient privileges detected. HTTP Error code : 403, Okta Error code : E0000006, errorSummary : You do not have permission to perform the requested action, errorCauses:[].
No direct ‘Provisioning Policies’ configured on the Application Definition for Okta.
Any advice on other SailPoint aspects to check to assure read-only configuration?
Hi @ibeihoffer - welcome to the SailPoint Developer Community!
The error you posted suggests the credentials you are using with the Okta connector do not have the required permissions to read the data from Okta. Given you mentioned this is an Account Aggregation, there should be no write/provisioning actions during this process.
Given the 403 error code, I would consult this table to validate your API token is scoped approrpriately.
Could you provide me answers to the following questions which can better help in troubleshooting:
Have you been able to do a successful “Test Connection” for the application?
Have you been able to run a Group Aggregation for this connector?
Have you attempted this with new credentials?
What does your filter string look like for this connector?
This post was answered by a Palyrian Solutions Architect. Feel free to message me directly if your problem requires a deeper dive. palyrian.com | (301) 284-8124
Given your test connection and group aggregation are working as expected, my guess is the API token does not have valid permissions to read from all required resources within Okta.
Were you able to cross reference with the table I linked above? You can also trace the logs to help determine where the connector is unable to read from Okta
Looks like i typo’d filter string, mean to ask for feature string
I believe the OOTB for Okta is DISCOVER_SCHEMA, PROVISIONING, SYNC_PROVISIONING, UNLOCK, ENABLE, SEARCH, AUTHENTICATE, PASSWORD, CURRENT_PASSWORD
This can also be altered to block provisioning requests, in which SailPoint would create manual work items instead.
This post was answered by a Palyrian Solutions Architect. Feel free to message me directly if your problem requires a deeper dive. palyrian.com | (301) 284-8124
I know you said Test Connection works for you, so it doesn’t apply.
However, you can also get this 403 error when attempting to connect a development environment to Okta while using a public VPN like Nord or Private Internet Access.
Based off the table Robert linked earlier and discussion with our Okta team, currently SailPoint is configured as Read-Only Admin. Looking at the Okta connector logs, the 403 appears to be originating from API calls related to roles, which Read-Only Admin appears to lack.
Perhaps there is a way to ad hoc furnish the ability to read role information within Okta. If not, I will test removing the account attribute ‘roles’ under the Application Definition Schema.
@ibeihoffer Do you want to aggregate Okta roles? Have you tried removing the roles attribute in schema and running the aggregation, if it is getting successful or not?
(301) 284-8124