Instead of retrieving the entire list of groups for a user and having to parse the groups returned?
Do you have more context to this question?
Well…AFAIK, here are your options:
Users | Okta Developer - retrieve all the groups a user is a member of and then do something like a string match for the group in question in the returned array or…
go from the other end and Groups | Okta Developer get the members of a specific group and search the user.
Either way it’s pretty easy to make a function that takes in 2 parameters: group and user and tells you if they intersect…
We want to check to see if a user is a member of a group so that our Service Desk doesn’t necessarily have to visit the console to check that. There are groups set up that turn certain features on or off in Okta like external enrollment. Through our service management tool, we want to call the API and return true or false. Rather than having to return a payload of groups and search that or a payload of members of a group and search that.
From a process perspective we also reduce the amount of time for our Service Desk to get that answer.
So if ‘there are groups set up that turn certain features on or off’ then it sound like you know the groups in question…
So why can’t you dump a user’s group membership: Get User’s Groups and just check if the returned object contains the group(s) in question?
So I posted my generic powershell script here: Powershell function for Okta API
Using that script I would do this:
$userGroups = getHTML -uri “https://yourOktaDomain/api/v1/users/USER_ID_HERE/groups”
$groupsToFind = @{“group1”,“group2”,“group3”}
foreach ($group in $userGroups ) {
# do your check for matching group here:
foreach ($groupToFind in $groupsToFind ) {
if($group.profile.name -like “$($groupToFind )”) {
# we found a match…do something
}
}
}
That’s how I would do it?
I think you’re missing my point. Sure, of course I can do that. Already expressed that. We’re sycning groups from AD into Okta as well, so users can be members of countless groups. Why drag that entire payload across the net if you could just get the answer. Then have to enumerate it? When a simple IsMemberOf method would just return “1” or “0”.
To my thinking and when I’m writing an API, I want the consumer to do the least amount of work. So I would do the enumeration for them and just return the answer they’re looking for instead of asking them to grab a payload and do that themselves.