Target
This guide is intended for organizations with ellie.ai integrated to their Okta platform.
...
Sign in with your Okta super admin account
Create a new custom admin role
Go to Security > Administrators
Go to Roles tab
Click on Create a new role
Fill in a name (i.e. view-users-and-groups-only)
Fill in a description (i.e. “Lets the admin view users and groups details”)
Check in User permissions: “View users and their details”
Check in Group permissions: “View groups and their details”
Click on Save role
Create a new resource set (More informations about resource sets below)
Go to Security > Administrators
Go to Resources tab
Click on Create a new resource set
Fill in a name (i.e. ellie-groups)
Fill in a description (i.e. “Constrains to ellie.ai groups only”)
Define the first resource
In Resource type select “Users”
In Group names select all groups assigned to your ellie.ai application (there should be only one group: “ellie”). This group selection will define the list of users ellie.ai can view (it should mirror the list of users assigned to the ellie.ai application).
Click on Add another resource type
Define the second resource
In Resource type select “Groups”
Check “Constrain to all groups” (Recommended, otherwise you will likely have to update this resource type every time you want to change your mapping between groups and ellie.ai roles)
Otherwise, in Group names select the groups ellie.ai can view (i.e. “ellie-read”, “ellie-write”, “ellie-admin” and “ellie”)
Click on Save resource set
Downgrade our ellie.ai custom account to our newly created custom admin role
Go to Security > Administrators
Go to Admins tab
Find the ellie.ai custom account in the list
Click on Edit assignments in the Edit dropdown
In Role replace “Read-only Administrator” with the newly created custom role (from step 9)
In Resource set select the newly created resource set (from step 10)
Make sure there is only one role left in the assignments list
Click on Save Changes
...
Ellie.ai will only use {{url}}/api/v1/users/{{userId}}/groups which correspond to an intersection of both scopes. However keep in mind that you are actually giving access to the union of both scopes (view only).
Examples
In purple: what the API token gives access to on the user scope (view only).
In blue: what the API token gives access to on the group scope (view only).
In violet: what ellie.ai is actually going to view (intersection of both scopes).
In rose: what the API token does not have access to on their respective scope.
...