-Lists all groups of which the user is a member.
> **Note:** To list all groups in your org, use the [List all groups endpoints in the Groups API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups).
+Lists all groups of which the user is a member.
> **Note:** To list all groups in your org, use the [List all groups endpoints in the Groups API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups).
```sql
SELECT
diff --git a/website/docs/services/users/users/index.md b/website/docs/services/users/users/index.md
index 8f0274e..1eea86f 100644
--- a/website/docs/services/users/users/index.md
+++ b/website/docs/services/users/users/index.md
@@ -97,12 +97,12 @@ The following fields are returned by `SELECT` queries:
|
object |
- Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. |
+ Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. |
|
string |
- The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). (example: guo1bfiNtSnZYILxO0g4) |
+ The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). (example: guo1bfiNtSnZYILxO0g4) |
|
@@ -122,7 +122,7 @@ The following fields are returned by `SELECT` queries:
|
object |
- The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). |
+ The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). |
@@ -186,12 +186,12 @@ The following fields are returned by `SELECT` queries:
|
object |
- Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. |
+ Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. |
|
string |
- The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). (example: guo1bfiNtSnZYILxO0g4) |
+ The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). (example: guo1bfiNtSnZYILxO0g4) |
|
@@ -211,7 +211,7 @@ The following fields are returned by `SELECT` queries:
|
object |
- The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). |
+ The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update). |
@@ -245,21 +245,21 @@ The following methods are available for this resource:
|
subdomain |
Content-Type, expand |
- Retrieves a user from your Okta org.
You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie.
* The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned.
* When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header.
When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it.
> **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). |
+ Retrieves a user from your Okta org.
You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie.
* The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned.
* When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header.
When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it.
> **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). |
|
|
- subdomain |
+ subdomain, data__profile |
activate, provider, nextLogin |
- Creates a new user in your Okta org with or without credentials.<br>
> **Legal Disclaimer**
>
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
* The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
* The user's `status` is `ACTIVE` when the activation process is complete.
The user is emailed a one-time activation token if activated without a password.
> **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#user-creation-scenarios) section. |
+ Creates a new user in your Okta org with or without credentials.<br>
> **Legal Disclaimer**
>
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
* The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
* The user's `status` is `ACTIVE` when the activation process is complete.
The user is emailed a one-time activation token if activated without a password.
> **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#user-creation-scenarios) section. |
|
|
subdomain |
strict, If-Match |
- Updates a user's profile or credentials with partial update semantics.
> **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`.
`profile` and `credentials` can be updated independently or together with a single request.
> **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object,
the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
> **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked.
>
> A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), [Start forgot password flow](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), and [Update password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) endpoints. |
+ Updates a user's profile or credentials with partial update semantics.
> **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`.
`profile` and `credentials` can be updated independently or together with a single request.
> **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object,
the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
> **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked.
>
> A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), [Start forgot password flow](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), and [Update password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) endpoints. |
|
@@ -287,7 +287,7 @@ The following methods are available for this resource:
|
subdomain |
sendEmail |
- Activates a user.
Perform this operation only on users with a `STAGED` or `DEPROVISIONED` status. Activation of a user is an asynchronous operation.
* The user has the `transitioningToStatus` property with an `ACTIVE` value during activation. This indicates that the user hasn't completed the asynchronous operation.
* The user has an `ACTIVE` status when the activation process completes.
Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status.
> **Note:** If you want to send a branded user activation email, change the subdomain of your request to the custom domain that's associated with the brand.
> For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
> **Note:** If you have optional password enabled, visiting the activation link is optional for users who aren't required to enroll a password.
> See [Create user with optional password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-optional-password).
> **Legal disclaimer**
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. |
+ Activates a user.
Perform this operation only on users with a `STAGED` or `DEPROVISIONED` status. Activation of a user is an asynchronous operation.
* The user has the `transitioningToStatus` property with an `ACTIVE` value during activation. This indicates that the user hasn't completed the asynchronous operation.
* The user has an `ACTIVE` status when the activation process completes.
Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status.
> **Note:** If you want to send a branded user activation email, change the subdomain of your request to the custom domain that's associated with the brand.
> For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
> **Note:** If you have optional password enabled, visiting the activation link is optional for users who aren't required to enroll a password.
> See [Create user with optional password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-optional-password).
> **Legal disclaimer**
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. |
|
@@ -315,7 +315,7 @@ The following methods are available for this resource:
|
subdomain |
sendEmail |
- Reactivates a user.
Perform this operation only on users with a `PROVISIONED` or `RECOVERY` [status](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response).
This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser).
Users that don't have a password must complete the flow by completing the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) flow and MFA enrollment steps to transition the user to `ACTIVE` status.
If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. |
+ Reactivates a user.
Perform this operation only on users with a `PROVISIONED` or `RECOVERY` [status](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response).
This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser).
Users that don't have a password must complete the flow by completing the [Reset password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) flow and MFA enrollment steps to transition the user to `ACTIVE` status.
If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. |
|
@@ -357,21 +357,21 @@ The following methods are available for this resource:
|
subdomain |
strict |
- Updates a user's password by validating the user's current password.
This operation provides an option to delete all the sessions of the specified user. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared.
You can only perform this operation on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
The user transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status.
> **Note:** The Okta account management policy doesn't support the `/users/{userId}/credentials/change_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). |
+ Updates a user's password by validating the user's current password.
This operation provides an option to delete all the sessions of the specified user. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared.
You can only perform this operation on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
The user transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status.
> **Note:** The Okta account management policy doesn't support the `/users/{userId}/credentials/change_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). |
|
|
subdomain |
|
- Updates a user's recovery question and answer credential by validating the user's current password.
You can only perform this operation on users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). |
+ Updates a user's recovery question and answer credential by validating the user's current password.
You can only perform this operation on users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). |
|
|
subdomain |
sendEmail |
- Starts the forgot password flow.
Generates a one-time token (OTT) that you can use to reset a user's password.
The user must validate their security question's answer when visiting the reset link. Perform this operation only on users with an `ACTIVE` status and
a valid [recovery question credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request).
> **Note:** If you have migrated to Identity Engine, you can allow users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr).
If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup:
* Okta no longer includes deactivated users in the lookup.
* The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
If `sendEmail` is `false`, returns a link for the user to reset their password. This operation doesn't affect the status of the user. |
+ Starts the forgot password flow.
Generates a one-time token (OTT) that you can use to reset a user's password.
The user must validate their security question's answer when visiting the reset link. Perform this operation only on users with an `ACTIVE` status and
a valid [recovery question credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request).
> **Note:** If you have migrated to Identity Engine, you can allow users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr).
If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup:
* Okta no longer includes deactivated users in the lookup.
* The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
If `sendEmail` is `false`, returns a link for the user to reset their password. This operation doesn't affect the status of the user. |
|
@@ -385,7 +385,7 @@ The following methods are available for this resource:
|
subdomain |
oauthTokens, forgetDevices |
- Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
You can also clear the user's remembered factors for all devices using the `forgetDevices` parameter. See [forgetDevices](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request).
> **Note:** This operation doesn't clear the sessions created for web or native apps. |
+ Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
You can also clear the user's remembered factors for all devices using the `forgetDevices` parameter. See [forgetDevices](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request).
> **Note:** This operation doesn't clear the sessions created for web or native apps. |
@@ -431,7 +431,7 @@ Parameters can be passed in the `WHERE` clause of a query. Check the [Methods](#
|
boolean |
- Executes an [activation lifecycle](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user |
+ Executes an [activation lifecycle](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user |
|
@@ -486,7 +486,7 @@ Parameters can be passed in the `WHERE` clause of a query. Check the [Methods](#
|
string |
- Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for optimal search performance. > **Note:** Using an overly complex or long search query can result in an error. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. Returned users include those with the `DEPROVISIONED` status. Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. See [Special Characters](https://developer.okta.com/docs/api/#special-characters). This operation searches many properties: * Any user profile attribute, including custom-defined attributes * The top-level properties: `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` * The [user type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/updateUserType) accessed as `type.id` > **Note:** <x-lifecycle class="ea"></x-lifecycle> The ability to search by user classification is available as an [Early Access](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. The `classification.type` property cannot be used in conjunction with other search terms. You can search using `classification.type eq "LITE"` or `classification.type eq "STANDARD"`. You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). Searches for users can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select user profile attributes: `profile.firstName`, `profile.lastName`, `profile.email`, and `profile.login`. See [Operators](https://developer.okta.com/docs/api/#operators). |
+ Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for optimal search performance. > **Note:** Using an overly complex or long search query can result in an error. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. Returned users include those with the `DEPROVISIONED` status. Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`. If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. See [Special Characters](https://developer.okta.com/docs/api/#special-characters). This operation searches many properties: * Any user profile attribute, including custom-defined attributes * The top-level properties: `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` * The [user type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/updateUserType) accessed as `type.id` > **Note:** <x-lifecycle class="ea"></x-lifecycle> The ability to search by user classification is available as an [Early Access](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. The `classification.type` property cannot be used in conjunction with other search terms. You can search using `classification.type eq "LITE"` or `classification.type eq "STANDARD"`. You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). Searches for users can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select user profile attributes: `profile.firstName`, `profile.lastName`, `profile.email`, and `profile.login`. See [Operators](https://developer.okta.com/docs/api/#operators). |
|
@@ -556,7 +556,7 @@ AND expand = '{{ expand }}';
-Retrieves a user from your Okta org.
You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie.
* The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned.
* When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header.
When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it.
> **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies).
+Retrieves a user from your Okta org.
You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie.
* The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned.
* When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header.
When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it.
> **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies).
```sql
SELECT
@@ -595,7 +595,7 @@ AND expand = '{{ expand }}';
>
-Creates a new user in your Okta org with or without credentials.<br>
> **Legal Disclaimer**
>
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
* The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
* The user's `status` is `ACTIVE` when the activation process is complete.
The user is emailed a one-time activation token if activated without a password.
> **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#user-creation-scenarios) section.
+Creates a new user in your Okta org with or without credentials.<br>
> **Legal Disclaimer**
>
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
* The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
* The user's `status` is `ACTIVE` when the activation process is complete.
The user is emailed a one-time activation token if activated without a password.
> **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#user-creation-scenarios) section.
```sql
INSERT INTO okta.users.users (
@@ -664,28 +664,28 @@ type
The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).
-The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.
+The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.
You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it.
-You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.
+You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.
Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.
- name: realmId
value: string
description: >
- The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/).
+ The ID of the realm in which the user is residing. See [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/).
- name: type
value: object
description: >
- The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/).
-The user type determines which [schema](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can
+ The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/).
+The user type determines which [schema](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can
only be assigned a different user type by an administrator through a full replacement (`PUT`) operation.
- name: activate
value: boolean
- description: Executes an [activation lifecycle](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user
+ description: Executes an [activation lifecycle](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user
- name: provider
value: boolean
description: Indicates whether to create a user with a specified authentication provider
@@ -707,7 +707,7 @@ only be assigned a different user type by an administrator through a full replac
>
-Updates a user's profile or credentials with partial update semantics.
> **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`.
`profile` and `credentials` can be updated independently or together with a single request.
> **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object,
the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
> **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked.
>
> A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), [Start forgot password flow](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), and [Update password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) endpoints.
+Updates a user's profile or credentials with partial update semantics.
> **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`.
`profile` and `credentials` can be updated independently or together with a single request.
> **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object,
the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
> **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked.
>
> A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), [Start forgot password flow](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), and [Update password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) endpoints.
```sql
UPDATE okta.users.users
@@ -843,7 +843,7 @@ EXEC okta.users.users.end_user_sessions
-Activates a user.
Perform this operation only on users with a `STAGED` or `DEPROVISIONED` status. Activation of a user is an asynchronous operation.
* The user has the `transitioningToStatus` property with an `ACTIVE` value during activation. This indicates that the user hasn't completed the asynchronous operation.
* The user has an `ACTIVE` status when the activation process completes.
Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status.
> **Note:** If you want to send a branded user activation email, change the subdomain of your request to the custom domain that's associated with the brand.
> For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
> **Note:** If you have optional password enabled, visiting the activation link is optional for users who aren't required to enroll a password.
> See [Create user with optional password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-optional-password).
> **Legal disclaimer**
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
+Activates a user.
Perform this operation only on users with a `STAGED` or `DEPROVISIONED` status. Activation of a user is an asynchronous operation.
* The user has the `transitioningToStatus` property with an `ACTIVE` value during activation. This indicates that the user hasn't completed the asynchronous operation.
* The user has an `ACTIVE` status when the activation process completes.
Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status.
> **Note:** If you want to send a branded user activation email, change the subdomain of your request to the custom domain that's associated with the brand.
> For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
> **Note:** If you have optional password enabled, visiting the activation link is optional for users who aren't required to enroll a password.
> See [Create user with optional password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-optional-password).
> **Legal disclaimer**
> After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
> you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
> Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
> liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
```sql
EXEC okta.users.users.activate_user
@@ -883,7 +883,7 @@ EXEC okta.users.users.expire_password_with_temp_password
-Reactivates a user.
Perform this operation only on users with a `PROVISIONED` or `RECOVERY` [status](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response).
This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser).
Users that don't have a password must complete the flow by completing the [Reset password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) flow and MFA enrollment steps to transition the user to `ACTIVE` status.
If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.
+Reactivates a user.
Perform this operation only on users with a `PROVISIONED` or `RECOVERY` [status](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response).
This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser).
Users that don't have a password must complete the flow by completing the [Reset password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) flow and MFA enrollment steps to transition the user to `ACTIVE` status.
If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.
```sql
EXEC okta.users.users.reactivate_user
@@ -940,7 +940,7 @@ EXEC okta.users.users.unsuspend_user
-Updates a user's password by validating the user's current password.
This operation provides an option to delete all the sessions of the specified user. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared.
You can only perform this operation on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
The user transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status.
> **Note:** The Okta account management policy doesn't support the `/users/{userId}/credentials/change_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/).
+Updates a user's password by validating the user's current password.
This operation provides an option to delete all the sessions of the specified user. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared.
You can only perform this operation on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
The user transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status.
> **Note:** The Okta account management policy doesn't support the `/users/{userId}/credentials/change_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/).
```sql
EXEC okta.users.users.change_password
@@ -956,7 +956,7 @@ EXEC okta.users.users.change_password
-Updates a user's recovery question and answer credential by validating the user's current password.
You can only perform this operation on users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
+Updates a user's recovery question and answer credential by validating the user's current password.
You can only perform this operation on users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
```sql
EXEC okta.users.users.change_recovery_question
@@ -970,7 +970,7 @@ EXEC okta.users.users.change_recovery_question
-Starts the forgot password flow.
Generates a one-time token (OTT) that you can use to reset a user's password.
The user must validate their security question's answer when visiting the reset link. Perform this operation only on users with an `ACTIVE` status and
a valid [recovery question credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request).
> **Note:** If you have migrated to Identity Engine, you can allow users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr).
If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup:
* Okta no longer includes deactivated users in the lookup.
* The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
If `sendEmail` is `false`, returns a link for the user to reset their password. This operation doesn't affect the status of the user.
+Starts the forgot password flow.
Generates a one-time token (OTT) that you can use to reset a user's password.
The user must validate their security question's answer when visiting the reset link. Perform this operation only on users with an `ACTIVE` status and
a valid [recovery question credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request).
> **Note:** If you have migrated to Identity Engine, you can allow users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr).
If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup:
* Okta no longer includes deactivated users in the lookup.
* The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
If `sendEmail` is `false`, returns a link for the user to reset their password. This operation doesn't affect the status of the user.
```sql
EXEC okta.users.users.forgot_password
@@ -995,7 +995,7 @@ EXEC okta.users.users.forgot_password_set_new_password
-Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
You can also clear the user's remembered factors for all devices using the `forgetDevices` parameter. See [forgetDevices](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request).
> **Note:** This operation doesn't clear the sessions created for web or native apps.
+Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
You can also clear the user's remembered factors for all devices using the `forgetDevices` parameter. See [forgetDevices](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request).
> **Note:** This operation doesn't clear the sessions created for web or native apps.
```sql
EXEC okta.users.users.revoke_user_sessions
diff --git a/website/docs/services/zones/network_zones/index.md b/website/docs/services/zones/network_zones/index.md
index 79b3e08..1130f15 100644
--- a/website/docs/services/zones/network_zones/index.md
+++ b/website/docs/services/zones/network_zones/index.md
@@ -190,14 +190,14 @@ The following methods are available for this resource:
|
|
- subdomain |
+ subdomain, data__name, data__type |
|
Creates a Network Zone
* For an IP Network Zone, you must define either `gateways` or `proxies`.
* For a Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `proxyType`.
* For an Enhanced Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `ipServiceCategories`. |
|
|
- subdomain |
+ subdomain, data__name, data__type |
|
Replaces a Network Zone by `zoneId`. The replaced Network Zone type must be the same as the existing type.
You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by updating the `usage` attribute.
**IP exempt zone**<br>
If you have the IP exempt zone feature enabled, you can allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI.<br>
<br>
When you enable this feature, Okta creates a zone called `DefaultExemptIpZone`. Gateway IPs that you add to this zone always have access to Okta resources. See [IP exempt zone](https://help.okta.com/okta_help.htm?type=oie&id=csh-about-ip-exempt-zone).
> **Note:** You can't add trusted proxy IPs to this zone, delete the zone, or create additional exempt IP zones. |
@@ -206,7 +206,7 @@ The following methods are available for this resource:
|
subdomain |
|
- Deletes a Network Zone by `zoneId`
> **Notes:**
> * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules).
> * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle> |
+ Deletes a Network Zone by `zoneId`
> **Notes:**
> * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules).
> * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle> |
|
@@ -439,7 +439,7 @@ usage;
>
-Deletes a Network Zone by `zoneId`
> **Notes:**
> * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules).
> * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle>
+Deletes a Network Zone by `zoneId`
> **Notes:**
> * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules).
> * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle>
```sql
DELETE FROM okta.zones.network_zones