mbegan
commented
5 years ago Hi @vcloudguy,
I had to read up on this a little bit. I didn't realize that were was an additive element for attributes like roles in application assignments.
It looks like there is a bit of a limitation on the underlying API (I'll provide this feedback to the appropriate teams) but i think there is a way to overcome it.
We can enumerate the groups a user is a member of and we can enumerate the groups used to assign the app along with the roles granted for each group.
By slamming the information together we can get the complete list of roles a user has.
Try something like this.
Import-Module Okta
$myOrg = 'okp1'
$myAppId = '0oa1cz6mppvsqMnK21d8'
$myLimit = 500
$oktaVerbose=$true
$myVerbose=$true
#Get all the Users assgined to the app
$appUsers = oktaGetUsersbyAppID -oOrg $myOrg -aid $myAppId -limit $myLimit -Verbose:$myVerbose
#Get all of the groups used to assign the app
$appGroups = oktaGetAppGroups -oOrg $myOrg -aid $myAppId -Verbose:$myVerbose
#turn the array of groups into a hash that is keyed by groupId for easier reconcilliation at the next step.
$appGroupHash = New-Object System.Collections.Hashtable
foreach ($appGroup in $appGroups)
{
$appGroupHash.Add($appGroup.id,$appGroup)
}
#a few arrays to store the "report" in
$joinedReport = New-Object System.Collections.ArrayList
$multiLineReport = New-Object System.Collections.ArrayList
foreach ($appUser in $appUsers)
{
$allSamlRoles = New-Object System.Collections.ArrayList
foreach ($samlRole in $appUser.profile.samlRoles)
{
$_c = $allSamlRoles.Add($samlRole)
}
$usersGroups = oktaGetGroupsbyUserId -oOrg $myOrg -uid $appUser.id -Verbose:$myVerbose
foreach ($gId in $appGroupHash.Keys)
{
if ($usersGroups.Contains($gId))
{
$thisGroup = $appGroupHash[$gId]
foreach ($groupSamlRole in $thisGroup.profile.samlRoles)
{
if (!$allSamlRoles.Contains($groupSamlRole))
{
$_c = $allSamlRoles.Add($groupSamlRole)
}
}
}
}
#option one, join the array of samlroles and stuff one line into the report
$stringSamlRoles = ($allSamlRoles -join ";")
$line = @{ externalID = $appUser.externalId; firstname = $appUser.profile.firstName; lastname = $appUser.profile.lastname; email = $appUser.profile.email; samlRoles = $stringSamlRoles }
$row = New-Object psobject -Property $line
$_c = $joinedReport.Add($row)
#option two, stuff a line in the report for each role
foreach ($samlRole in $allSamlRoles)
{
$line = @{ externalID = $appUser.externalId; firstname = $appUser.profile.firstName; lastname = $appUser.profile.lastname; email = $appUser.profile.email; samlRole = $samlRole }
$row = New-Object psobject -Property $line
$_c = $multiLineReport.Add($row)
}
}
($joinedReport | Select-Object externalID, firstname, lastname, email, samlRoles) | Format-Table
($multiLineReport | Select-Object externalID, firstname, lastname, email, samlRole) | Format-Table
vcloudguy
I am trying to run Okta API using the powershell module to retrieve all users assigned to AWS apps via groups with their assigned AWS roles. I am able to retrieve the user list along with their SAML roles. However, I have some users who are members of multiple groups and each group is mapped to a different AWS role. When I run this command I get the info of the first group a user is member of and it skips to list any other group and corresponding SAML role.
Its showing me the result based on the Role set by the first group in the group priority. If I change the user to individual assignment and map multiple roles then I can retrieve all roles for the user. Any ideas how do I see all roles for groups users are member of?
oktaGetUsersbyAppID -oorg prod1 -aid '' | select externalID -expandproperty profile | select firstname, lastname, externalID, @{expression={($_.samlroles) -join ";"}; label= 'SAML Role'}
Any advise or assistance would be greatly appreciated.