Target
This guide is intended for organizations with ellie.ai integrated to their Okta platform.
...
Sign in onto your Okta admin dashboard with your Okta super admin account
Create a new user that we are going to refer as ellie.ai custom user for the rest of this guide
Go to Directory > People
Click on Add person
Fill the form at your convenience, here are some advices but nothing mandatory:
In Activation select “Activate now”
Check “I will set password” and fill the password input
Uncheck “User must change password on first login”
Click on Save
Grant ellie.ai custom user a standard admin role
Go to Security > Administrators
Click on Add administrators
In Admin select our newly created ellie.ai custom user
In Role select “Read-only Administrator” (or any other standard admin role as it is just temporary)
Click on Save Changes
Sign out from the Okta dashboard
Sign in again but this time with your ellie.ai custom user
Create a new API token
Go to Security > API
Go to Tokens tab
Click on Create token
Fill in a name (i.e. ellie-api-token)
Click on Create token
Save the token value (This token will be sent to ellie.ai by email)
Click on OK, got it
Sign out from the Okta dashboard
We are not done yet, it is important to finish all the steps. You now have an API token, but we are going to downgrade its privileges to the minimal requirements.Sign in with your Okta super admin account
Create a new custom admin role
Go to Security > Administrators
Go to Roles tab
Click on Create a new role
Fill in a name (i.e. view-users-and-groups-only)
Fill in a description (i.e. “Lets the admin view users and groups details”)
Check in User permissions: “View users and their details”
Check in Group permissions: “View groups and their details”
Click on Save role
Create a new resource set (More informations about resource sets below)
Go to Security > Administrators
Go to Resources tab
Click on Create a new resource set
Fill in a name (i.e. ellie-groups)
Fill in a description (i.e. “Constrains to ellie.ai groups only”)
Define the first resource
In Resource type select “Users”
In Group names select all groups assigned to your ellie.ai application (there should be only one group: “ellie”). This group selection will define the list of users ellie.ai can view (it should mirror the list of users assigned to the ellie.ai application).
Click on Add another resource type
Define the second resource
In Resource type select “Groups”
Check “Constrain to all groups” (Recommended, otherwise you will likely have to update this resource type every time you want to change your mapping between groups and ellie.ai roles)
Otherwise, in Group names select the groups ellie.ai can view (i.e. “ellie-read”, “ellie-write”, “ellie-admin” and “ellie”)
Click on Save resource set
Downgrade our ellie.ai custom account to our newly created custom admin role
Go to Security > Administrators
Go to Admins tab
Find the ellie.ai custom account in the list
Click on Edit assignments in the Edit dropdown
In Role replace “Read-only Administrator” with the newly created custom role (from step 9)
In Resource set select the newly created resource set (from step 10)
Make sure there is only one role left in the assignments list
Click on Save Changes
...
Ellie.ai will only use {{url}}/api/v1/users/{{userId}}/groups which correspond to an intersection of both scopes. However keep in mind that you are actually giving access to the union of both scopes (view only).
Examples
In purple: what the API token gives access to on the user scope (view only).
In blue: what the API token gives access to on the group scope (view only).
In violet: what ellie.ai is actually going to view (intersection of both scopes).
In rose: what the API token does not have access to on their respective scope.
...