Advanced Server Access components

An Advanced Server Access deployment contains a combination of the following components:

Components Description
Teams A team is a top-level container that contains every resource for a particular deployment. Each team has a unique name and an associated Identity Provider (IdP).

All other configuration objects in Advanced Server Access are scoped to a specific team.

Groups A group is a collection of users with some set of associated permissions. Two default groups are created for each deployment: everyone and owners.

A group can have one or more team roles assigned to it. Every member of a group inherits the assigned roles.

Projects A project is an authorization scope, similar to a domain in Active Directory. Each project associates a collection of resources (including users and servers) with a set of configurations, which include Role-Based Access Control (RBAC) and access policies.
Dynamic Credentials Advanced Server Access credentials are short-lived ephemeral objects used to provide access to project resources. Teams can think of projects as programmable Certificate Authorities used to issue these ephemeral certificates. At the base level, certificates contain the following information:
  • The Advanced Server Access project for which the certificate was issued
  • The username to be used on the server of the Advanced Server Access user to whom the certificate was issued
  • The time at which the certificate expires
Users A user is a person who belongs to a team and authenticates with that team's IdP. Advanced Server Access defines user permissions based on group memberships.

Users authorize clients to be added to their client inventory so that they can receive credentials.

Service user Service users are special accounts that aren't tied to a real person. Teams can use a service user to automate actions using the Advanced Server Access API or to grant access to specific operations in the Advanced Server Access platform. See Service users.
Clients The Advanced Server Access client is a command-line tool that's installed on a workstation. After a user installs and enrolls the client in an Advanced Server Access project, the client provides access to server resources that are enrolled within the same project. See Advanced Server Access clients.
Servers The Advanced Server Access server agent controls SSH (Secure Shell) and RDP (Remote Desktop Protocol) access to remote servers enrolled in an Advanced Server Access project.

A server is only enrolled in a single project. Teams can automatically enroll servers into projects with an associated cloud account, or manually with an enrollment token. See Advanced Server Access server agents.

Server user accounts The Advanced Server Access server agent manages user accounts on Windows and Linux servers.

If a user is deactivated in Okta, the server agent removes any related user accounts on the server to prevent unwanted access.

Entitlements Entitlements can allow non-admin users to use specific sudo commands without granting super user permissions.

Teams can create a system of layered permissions based off which groups a user belongs to.

Attributes Attributes specify various characteristics of users and groups. This can include Unix or Windows usernames, UIDs, and GIDs.

Teams can generate attributes around predetermined parameters. Admins have full control of the users and groups attributes for their team which they can modify to avoid or resolve any attribute conflicts in existing deployments.

Related topics