Scopes for Okta connector cards

Your Okta connector accesses the Okta API using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints. The scopes contained in the access token control the ability to perform these actions.

Grant the required scopes for each of the event and action cards that you want to use in your Okta connector.

For an existing connection, you must reauthorize the connection to pick up any scope changes.

The OAuth 2.0 Scopes topic in the Okta developer documentation contains detailed descriptions for all available scopes.

Default scopes

These default scopes are automatically granted. You don't need to grant them through the Okta Workflows OAuth app. They appear in the Permissions tab of the Okta connector.

The connection authorization fails if you revoke any of these automatically granted scopes from the OAuth app.

  • address
  • email
  • groups
  • offline_access
  • openid
  • phone
  • profile

Event cards

The event cards for the Okta connector require the scopes indicated in the following table.

Connector card

Required scopes

All Okta connector event cards

okta.eventHooks.manage

User Synced in External Application

okta.apps.read

User App Password Changed

okta.apps.read

User Assigned to Application

okta.apps.read

User Unassigned from Application

okta.apps.read

Action cards

The action cards for the Okta connector require the scopes indicated in the following table.

Connector card

Required scopes

Activate Application

okta.apps.manage

Activate Group Rule

okta.groups.manage

Activate User

okta.users.read

okta.users.manage

Add User to Group

okta.groups.manage

Assign Group to Application

okta.apps.manage

Assign User to Application for SSO

okta.apps.manage

okta.apps.read

Assign User to Application for SSO and Provisioning

okta.apps.manage

okta.apps.read

Bulk User Import

okta.schemas.read

okta.identitySources.manage

Clear User Sessions

okta.users.manage

Create Group

okta.groups.manage

okta.schemas.read

Create Group Rule

okta.groups.manage

Create an Import Session

okta.identitySources.manage

okta.apps.read

Create User

okta.users.manage

okta.schemas.read

Custom API Action

Any scopes required by the API endpoint.

Deactivate Application

okta.apps.manage

Deactivate Group Rule

okta.groups.manage

Deactivate User

okta.users.read

okta.users.manage

Delete Application

okta.apps.manage

Delete Group

okta.groups.manage

Delete Group Rule

okta.groups.manage

Delete Import Session

okta.identitySources.manage

okta.apps.read

Delete Linked Object Value

okta.users.manage

okta.linkedObjects.read

Delete User

okta.users.manage

Find Users

okta.users.read

Get Assigned User for Application

okta.apps.read

Get Associated Linked Object Values

okta.users.read

okta.linkedObjects.read

Get Primary Linked Object Value

okta.users.read

okta.linkedObjects.read

Get Users Groups

okta.users.read

List Applications Assigned to Group

okta.apps.read

List Applications Assigned to User

okta.apps.read

List Group Members

okta.groups.read

List Groups Assigned to Application

okta.apps.read

List Import Sessions

okta.identitySources.read

okta.apps.read

List Users Assigned to Application

okta.apps.read

List Users With Filter

okta.users.read

List Users With Search

okta.users.read

okta.schemas.read

Map Profile Source Attributes

okta.apps.read

Read Application

okta.apps.read

Read Assigned Group for Application

okta.apps.read

Read Group

okta.groups.read

Read Group Rule

okta.groups.read

Read Import Session

okta.identitySources.read

okta.apps.read

Read User

okta.users.read

Remove Group from Application

okta.apps.manage

Remove User from Application

okta.apps.manage

Remove User from Group

okta.groups.manage

Reset Password

okta.users.manage

Search Applications

okta.apps.read

Search Group Rules

okta.groups.read

Search Groups

okta.groups.read

okta.schemas.read

Search System Logs

okta.logs.read

Set Linked Object Value for Primary

okta.users.manage

okta.linkedObjects.read

Suspend User

okta.users.read

okta.users.manage

Trigger Import Session

okta.identitySources.manage

okta.apps.read

Unsuspend User

okta.users.read

okta.users.manage

Update Application Credentials for an Assigned User

okta.apps.read

okta.apps.manage

Update Application Profile for Assigned User

okta.apps.read

okta.apps.manage

Update Group

okta.groups.manage

Update Group Rule

okta.groups.read

Update User

okta.users.read

okta.users.manage

okta.schemas.read

Related topics

Okta connector

Workflow elements

Guidance for Okta connector

Okta API documentation