# Step 1: Evidence Details

|System|Source of data|Frameworks|
|---|---|---|
|okta|okta |okta|

`Purpose: Enforce separate responsibilities for critical system configurations to enhance security and accountability.`

```
RecomendedEvidenceName: OktaPrivilegedUserDetails
```




# Step 2: Define the System Specific Data


# Step 2a: API & Flow


 - GET /api/v1/users
  - The response will give a list of users.
 - GET /api/v1/users/{userId}/roles
  - The response will provide a list of roles for the user, used to determine if the user is an admin or not.
  - If the list is empty, that means the user is not privileged.
  - If the list is not empty, that means the user has privileged access.
 - GET /api/v1/policies?type=MFA_ENROLL
  - The response will give policyId of the MFA_ENROLL policy and groups included under MFA policy
 - GET /api/v1/users/{userId}/roles
  - Fetch user role details
 - GET /api/v1/users/{userId}/groups
  - The response will provide a list of groups enabled for a given user. We can compare this list with the groups included in the MFA_ENROLL policy. If there is a common group, then the user is MFA enabled.

# Step 2b: Define the Extended Schema


In [None]:
# GET /api/v1/users
[
    {
        "id": "00ugromv83ZlFD4UC5d7",
        "status": "ACTIVE",
        "created": "2024-04-30T03:17:41.000Z",
        "activated": null,
        "statusChanged": "2024-04-30T05:11:26.000Z",
        "lastLogin": "2024-05-03T10:40:13.000Z",
        "lastUpdated": "2024-04-30T05:11:26.000Z",
        "passwordChanged": "2024-04-30T05:11:26.000Z",
        "type": {
            "id": "otygromv266cPwrj35d7"
        },
        "profile": {
            "firstName": "John",
            "lastName": "Doe",
            "mobilePhone": null,
            "secondEmail": null,
            "login": "john.doe@example.com",
            "email": "john.doe@example.com"
        },
        "credentials": {
            "password": {},
            "emails": [
                {
                    "value": "john.doe@example.com",
                    "status": "VERIFIED",
                    "type": "PRIMARY"
                }
            ],
            "provider": {
                "type": "OKTA",
                "name": "OKTA"
            }
        },
        "_links": {
            "self": {
                "href": "https://{yourOktaDomain}/api/v1/users/00ugromv83ZlFD4UC5d7"
            }
        }
    }
]


# GET /api/v1/users/{userId}/roles
[
    {
        "id": "ra1gromv8evFERzm45d7",
        "label": "Super Administrator",
        "type": "SUPER_ADMIN",
        "status": "ACTIVE",
        "created": "2024-04-30T03:17:41.000Z",
        "lastUpdated": "2024-04-30T03:17:41.000Z",
        "assignmentType": "USER",
        "_links": {
            "assignee": {
                "href": "https://{yourOktaDomain}/api/v1/users/00ugromv83ZlFD4UC5d7"
            }
        }
    }
]

# GET /api/v1/policies?type=MFA_ENROLL
[
    {
        "id": "00erfesfv6VkPbYqO5d7",
        "status": "ACTIVE",
        "name": "Default Policy",
        "description": "The default policy applies in all situations if no other policy applies.",
        "priority": 1,
        "system": true,
        "conditions": {
            "people": {
                "groups": {
                    "include": [
                        "00gvdsfovnfFOr5d7"
                    ]
                }
            }
        },
        "created": "2024-05-07T09:05:24.000Z",
        "lastUpdated": "2024-05-07T10:43:07.000Z",
        "settings": {
            "factors": {
                "okta_password": {
                    "enroll": {
                        "self": "REQUIRED"
                    },
                    "consent": {
                        "type": "NONE"
                    }
                }
            }
        },
        "_links": {
            "self": {
                "href": "https://{yourOktaDomain}/api/v1/policies/00pgxvdfv96VkPbYqO5d7",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT"
                    ]
                }
            },
            "rules": {
                "href": "https://{yourOktaDomain}/api/v1/policies/00pgxjgpvasdvbYqO5d7/rules",
                "hints": {
                    "allow": [
                        "GET",
                        "POST"
                    ]
                }
            }
        },
        "type": "MFA_ENROLL"
    }
]


# GET /api/v1/users/{user_id}/groups

{
        "id": "00gh915i9xtNH5d7",
        "created": "2024-05-22T12:21:16.000Z",
        "lastUpdated": "2024-05-22T12:21:16.000Z",
        "lastMembershipUpdated": "2024-05-22T14:45:04.000Z",
        "objectClass": [
            "okta:group"
        ],
        "type": "BUILT_IN",
        "profile": {
            "name": "Everyone",
            "description": "All users in your organization"
        },
        "_links": {
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok12static.oktdn.com/assets/img/logos/groups/odyssey/okta-medium.30ce6d984e4c191bc874.png",
                    "type": "image/png"
                },
                {
                    "name": "large",
                    "href": "https://ok12static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8afe928f5844dbe3.png",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://dev-8824454.okta.com/api/v1/groups/00gh9wvdvYA9xtNH5d7/users"
            },
            "apps": {
                "href": "https://dev-88449454.okta.com/api/v1/groups/00gh9vasi8tNH5d7/apps"
            }
        }
    }

# Step 3: Define the Standard Schema
    

In [None]:
{
        "System": "okta",
        "Source": "compliancecow",
        "ResourceID": "00uh95fhimSUiiA5d7",
        "ResourceName": "Test user 1",
        "ResourceType": "User",
        "ResourceLocation": "N/A",
        "ResourceTags": "N/A",
        "ResourceURL": "https://dev-88449454-admin.okta.com/admin/user/profile/view/00uh95fhimSUiiA5d7#tab-account",
        "UserEmail": "kavya@gmail.com",
        "UserGroups": [
            "Everyone"
        ],
        "UserRoles": [
            "Test Role 2"
        ],
        "RolePermission": [
            {
                "Permissions": "okta.groups.appAssignment.manage,okta.groups.create,okta.users.groupMembership.manage",
                "Role": "Test Role 2"
            }
        ],
        "MFAEnabled": True,
        "UserAuthenticationFactors": [
            "okta_sms"
        ],
        "ComplianceStatus":"",
        "ComplianceReason":""
    }

# Step 3.a: Sample Data

| System | Source | ResourceID | ResourceName | ResourceType | ResourceLocation | ResourceTags | ResourceUrl | UserEmail | UserGroups | UserRoles | RolePermission | MFAEnabled | UserAuthenticationFactors | ComplianceStatus | ComplianceReason|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| okta | compliancecow | e95aff7d-8cf7-47a3-bac5b423 | John Danie | User | N/A | N/A | https://dev-88449454-admin.okta.com/admin/user/profile/view/00uh95fhimSUiiA5d7#tab-account | kavya@gmail.com | ["Everyone"] | ["Test Role 2] | Permissions: okta.groups.appAssignment.manage,okta.groups.create,okta.users.groupMembership.manage, Role: Test Role 2 | True |["okta_sms"] | | |

# Step 4: Describe the Compliance Taxonomy

N/A

# Step 5: Calculation for Compliance Percentage and Status

N/A



# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

N/A

# 7. Control Setup Details

| Control Details            |                                                 |
|----------------------------|-------------------------------------------------|
| **RuleName**               | OktaPrivilegedUserDetails|
| **PreRequisiteRuleNames**  | N/A                                             |
| **ExtendedSchemaRuleNames**| N/A                                             |
| **ApplicationClassName**   | oktaconnector                                   |
| **PostSynthesizerName**    | N/A                                             |