Show different when creating OKTA users

jelbatnigi · October 1, 2021, 1:35am

We have an application that is used by admins to create new users in our system. This admin app behind the scene creates a new user in OKTA. Now the admins also login to the app using OKTA so they are part of an admin group. So, the app makes a call to the /api/v1/users endpoint passing an API Token in the Authorization header to create the user.

Since the API token was created by one superAdmin user. Every time a user is created. The actor in the logs is showing as the superAdmin user and not the admin user who created the new user?

This is problematic for us since now we have no audits to show which admin created which user. It only shows the superadmin.

How can we change this behavior? Can API token get generated dynamically by the admin user that is authenticated and logged in to OKTA?

Thanks!

phi1ipp · October 2, 2021, 3:54pm

Unfortunately there is no other way. You either need to give your admins privileges to create users also, and then they can use oauth2 application with user create scopes enabled to request an access token to be used for user create operations (see Overview | Okta Developer)

bobula · October 7, 2021, 12:47am

You could also try a profile attribute, where you have a “createdby” attribute that you populate to log the creating user.