> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Okta_Group
> An Okta user group
## Overview
Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested.
Groups are represented as Okta\_Group nodes in BloodHound.
## Edges
The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.
### Inbound Edges
| Edge Type | Source Node Types | Traversable |
| ---------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [Okta\_AddMember](/opengraph/extensions/okta/edges/okta_addmember) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_Contains](/opengraph/extensions/okta/edges/okta_contains) | [Okta\_Organization](/opengraph/extensions/okta/nodes/okta_organization) | ✅ |
| [Okta\_GroupAdmin](/opengraph/extensions/okta/edges/okta_groupadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_GroupMembershipAdmin](/opengraph/extensions/okta/edges/okta_groupmembershipadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_GroupPull](/opengraph/extensions/okta/edges/okta_grouppull) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_IdpGroupAssignment](/opengraph/extensions/okta/edges/okta_idpgroupassignment) | [Okta\_IdentityProvider](/opengraph/extensions/okta/nodes/okta_identityprovider) | ❌ |
| [Okta\_MemberOf](/opengraph/extensions/okta/edges/okta_memberof) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) | ✅ |
| [Okta\_MembershipSync](/opengraph/extensions/okta/edges/okta_membershipsync) | [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Group](/resources/nodes/group), [AZGroup](/resources/nodes/az-group) | ✅ |
| [Okta\_OrgAdmin](/opengraph/extensions/okta/edges/okta_orgadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_ResourceSetContains](/opengraph/extensions/okta/edges/okta_resourcesetcontains) | [Okta\_ResourceSet](/opengraph/extensions/okta/nodes/okta_resourceset) | ✅ |
| [Okta\_ScopedTo](/opengraph/extensions/okta/edges/okta_scopedto) | [Okta\_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) | ❌ |
### Outbound Edges
| Edge Type | Destination Node Types | Traversable |
| ---------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [Okta\_AddMember](/opengraph/extensions/okta/edges/okta_addmember) | [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group) | ✅ |
| [Okta\_AppAdmin](/opengraph/extensions/okta/edges/okta_appadmin) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application), [Okta\_ApiServiceIntegration](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) | ✅ |
| [Okta\_AppAssignment](/opengraph/extensions/okta/edges/okta_appassignment) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ❌ |
| [Okta\_GroupAdmin](/opengraph/extensions/okta/edges/okta_groupadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group) | ✅ |
| [Okta\_GroupMembershipAdmin](/opengraph/extensions/okta/edges/okta_groupmembershipadmin) | [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group) | ✅ |
| [Okta\_GroupPush](/opengraph/extensions/okta/edges/okta_grouppush) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ❌ |
| [Okta\_HasRole](/opengraph/extensions/okta/edges/okta_hasrole) | [Okta\_Role](/opengraph/extensions/okta/nodes/okta_role), [Okta\_CustomRole](/opengraph/extensions/okta/nodes/okta_customrole) | ❌ |
| [Okta\_HasRoleAssignment](/opengraph/extensions/okta/edges/okta_hasroleassignment) | [Okta\_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) | ❌ |
| [Okta\_HelpDeskAdmin](/opengraph/extensions/okta/edges/okta_helpdeskadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) | ✅ |
| [Okta\_ManageApp](/opengraph/extensions/okta/edges/okta_manageapp) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ✅ |
| [Okta\_MembershipSync](/opengraph/extensions/okta/edges/okta_membershipsync) | [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Group](/resources/nodes/group), [AZGroup](/resources/nodes/az-group) | ✅ |
| [Okta\_MobileAdmin](/opengraph/extensions/okta/edges/okta_mobileadmin) | [Okta\_Device](/opengraph/extensions/okta/nodes/okta_device) | ✅ |
| [Okta\_OrgAdmin](/opengraph/extensions/okta/edges/okta_orgadmin) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Device](/opengraph/extensions/okta/nodes/okta_device) | ✅ |
| [Okta\_ReadClientSecret](/opengraph/extensions/okta/edges/okta_readclientsecret) | [Okta\_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) | ✅ |
| [Okta\_ResetFactors](/opengraph/extensions/okta/edges/okta_resetfactors) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) | ✅ |
| [Okta\_ResetPassword](/opengraph/extensions/okta/edges/okta_resetpassword) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) | ✅ |
| [Okta\_SuperAdmin](/opengraph/extensions/okta/edges/okta_superadmin) | [Okta\_Organization](/opengraph/extensions/okta/nodes/okta_organization) | ✅ |
## Properties
Standard Okta group properties:
| Name | Source | Type | Description |
| ----------------------- | ----------------------------- | ---------- | ----------------------------------------------------------------- |
| `id` | `group.id` | `string` | Unique group identifier. |
| `name` | `group.profile.name` | `string` | Group name in Okta (or synchronized source). |
| `displayName` | `group.profile.name` | `string` | Display label used in BloodHound. |
| `description` | `group.profile.description` | `string` | Group description text. |
| `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the group exists. |
| `hasRoleAssignments` | Calculated | `bool` | Indicates whether the group is assigned any administrative roles. |
| `oktaGroupType` | `group.type` | `string` | Group type (for example `OKTA_GROUP`, `APP_GROUP`, `BUILT_IN`). |
| `objectClass` | `group.objectClass[0]` | `string` | Source object class (for example AD security principal). |
| `created` | `group.created` | `datetime` | Group creation timestamp. |
| `lastUpdated` | `group.lastUpdated` | `datetime` | Last update timestamp. |
| `lastMembershipUpdated` | `group.lastMembershipUpdated` | `datetime` | Last membership change timestamp. |
Additional properties of groups synchronized from Active Directory:
| Name | Source | Type | Description |
| --------------------- | ------------------------------------------ | -------- | ------------------------------------------------------------ |
| `objectSid` | `group.profile.objectSid` | `string` | Security Identifier (SID) for the AD group. |
| `distinguishedName` | `group.profile.dn` | `string` | Active Directory distinguished name. |
| `samAccountName` | `group.profile.samAccountName` | `string` | Security Account Manager (SAM) account name. |
| `domainQualifiedName` | `group.profile.windowsDomainQualifiedName` | `string` | Domain-qualified name of the AD group. |
| `groupScope` | `group.profile.groupScope` | `string` | AD group scope (for example global, domainLocal, universal). |
| `groupType` | `group.profile.groupType` | `string` | AD group type, i.e., security or distribution. |
| `objectGuid` | `Base64ToGuid(group.profile.externalId)` | `string` | AD object GUID. |
## Sample Property Values
Example of a group created directly in Okta:
```yaml theme={null}
id: 00gxg12p4kFOkyXLb697
name: Engineering
displayName: Engineering
description: Engineering department group
oktaDomain: contoso.okta.com
hasRoleAssignments: false
oktaGroupType: OKTA_GROUP
objectClass: okta:user_group
created: 2025-11-14T08:00:25+00:00
lastUpdated: 2025-11-14T08:00:25+00:00
lastMembershipUpdated: 2025-11-14T08:00:25+00:00
```
Example of a group synchronized from Active Directory:
```yaml theme={null}
id: 00gxga7s3yDJ71OzW697
name: Sales
displayName: Sales
description: Sales department group
oktaDomain: contoso.okta.com
hasRoleAssignments: false
oktaGroupType: APP_GROUP
objectClass: okta:windows_security_principal
objectSid: S-1-5-21-71365889-924527929-2677699343-2536
distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local
samAccountName: Sales
domainQualifiedName: CONTOSO\Sales
groupScope: Global
groupType: Security
objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a
created: 2025-11-14T12:58:13+00:00
lastUpdated: 2025-11-14T13:05:44+00:00
lastMembershipUpdated: 2025-11-14T12:58:13+00:00
```
## Synchronization with External Directories
Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes:
Nested (transitive) group memberships in Active Directory are always flattened (resolved) when synchronized to Okta, as illustrated below:
```mermaid theme={null}
graph TB
subgraph ad["Active Directory"]
ag1("Group A")
ag2("Group B")
u1("User 1")
u2("User 2")
u1 -- MemberOf --> ag1
u2 -- MemberOf --> ag2
ag2 -- MemberOf --> ag1
end
subgraph Okta
og1("Okta_Group A")
og2("Okta_Group B")
u1o("Okta_User 1")
u2o("Okta_User 2")
u1o -- Okta_MemberOf --> og1
u2o -- Okta_MemberOf --> og1
u2o -- Okta_MemberOf --> og2
end
ad == Sync ==> Okta
```