API Access Management: Access Policy

Questions
1

I have a standard API Authorization use case to control Read Only and Read Write access to API.

In the okta developer account I have created two groups (trup-ro and trup-rw) and assigned various users to these groups.

I have created an application of type web named : trupctl

On the default Authorization Server, I have created two scopes trup-ro and trup-rw corresponding to the groups. I have created rule as follows

READ_WRITE_RULE
READ_WRITE_RULE1920×1080 358 KB

But what I am noticing is that the users who are not even members of the trup-rw group get the scope trup-rw in the access token if it is requested in the authorization_code flow.

Also I noticed in the demo videos for API Access Management a different AddRule form:

okta-api-access-mgmt-rule-paid
okta-api-access-mgmt-rule-paid1920×1080 172 KB
where in you would see the difference in the ability to specify scopes in a THEN Grant clause.. is that a Paid account feature?

2

I think there is a misunderstanding here probably.

You need to create a rule which says, that whoever requesting scope “…rw” should belong to group “…rw”.

Screen Shot 2020-04-02 at 8.36.51 PM
Screen Shot 2020-04-02 at 8.36.51 PM1364×872 47.3 KB

My first rule limits, who can access scope “groups” (it’s my existing scope). So you would need to create a rule for your “rw” scope, and allow all scopes in your default rule (I’m assuming “ro” is allowed to anyone assigned to the application)

3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.