Configure agent lifecycle management hooks for Advanced Server Access

The Advanced Server Access lifecycle hooks feature exposes an event bus on your servers that receives notifications when membership changes are made to local users and group configurations on your Linux systems. Advanced Server Access administrators can customize these lifecycle hooks with scripts to fit any routine tasks that need to be executed when these changes occur. Local scripts are also run globally, matching any files that are under the /usr/lib/sftd/hooks directory. You can discover which operating system objects are affected depending on which event is occurring, and see which scripts are being run. See Directories and scripts and Lifecycle-related environment variables.


Use the following steps as a guide to perform an on-host setup.

Before you begin, make sure you have an active Advanced Server Access session open, and that you have admin authority on your target Linux server.

Create a custom script

  1. From the command line, use SSH to connect to one of your target Linux servers.

  2. Switch to root by running sudo su

  3. Create a directory for the hooks script with the following command:

    mkdir -p /usr/lib/sftd/hooks/user-created.d

  4. Using a text editor, create a file named and copy/paste the following bash script:

    Note: The following is an example that demonstrates the basic functionality of agent lifecycle hooks. Modify the script as needed to fit your specific integration.

    #!/bin/bash SOURCE_FILES=/opt/sourcefiles cp $SOURCE_FILES/App?/home/"${SFT_HOOK_USERNAME}" if [ $? -eq 0 ] then echo "Successfully copied source files into /home/"${SFT_HOOK_USERNAME}"" >> /tmp/sourcefiles.out else echo "Error Copying source files into /home/"${SFT_HOOK_USERNAME}"" >> /tmp/sourcefiles.out
  5. Grant the script execute access:

    chmod 755

  6. Run the ls -l command and confirm that permissions have been correctly set. The output should resemble the following:

    -rwxr-xr-x 1 root root 316 Jun 30 14:54

Create source files

  1. Create a directory for the source files by running the following commands:

    cd /opt mkdir sourcefiles
  2. Next, create the source files with the following commands:

    cd sourcefiles touch App1 App2 App3
  3. Run the ls command and confirm that the files App1, App2, and App3 have been created.

Create a Okta user and assign them to an authorized group

  1. As an Okta administrator, go to the Admin Dashboard of the Okta tenant that manages your Advanced Server Access application.

  2. Go to Applications and click Okta Advanced Server Access.

  3. Click Assignments and then Groups. Remember the name of the group that has been assigned the application.

  4. In the Admin Console, select Directory , People and then Add Person.

  5. Create a user with a memorable name.

  6. In the Admin Console, go to Directory, and then click Groups. From here, select the group that was assigned to Advanced Server Access in step 3.

Add the group to your project

  1. In the Admin Console, click My Applications, and then select Okta Advanced Server Access.

  2. Click Projects.

  3. Click the project that you want to add the group to.

  4. Click the Groups tab, then click Add Group to Project.

  5. In the Group field, enter the name of the group to add, select the group, then click Create Group.

  6. Ensure that the user has been added to the project. Click the Users tab for the project and search for the user.

Validate user provisioning on your Linux server

  1. From the Linux command prompt, enter the following commands:

    cd /home ls -l
  2. Verify that the home directory for your new user has been created.

  3. Switch to the new user's home directory by running cd <username>.

    You can verify that the files App1, App2, and App3 exist in the user's home directory with the ls command.

This is how you can use Advanced Server Access agent lifecycle hooks to integrate any host-local automation, system, or external user directory with your users and groups in Okta.

Related information

Directories and scripts

The sections below detail which directories and scripts are invoked depending on the user or group event that occurred. The event type is captured in the SFT_HOOK_EVENT variable. See Lifecycle-related environment variables.


  • user-created

    When a user is created, scripts in /usr/lib/sftd/hooks/user-created.d/*.sh are executed.

  • user-updated

    When a user is updated, scripts in /usr/lib/sftd/hooks/user-updated.d/*.sh are executed.

  • user-deleted

    When a user is deleted, scripts in /usr/lib/sftd/hooks/user-deleted.d/*.sh are executed.


  • group-created

    When a group is created, scripts in /usr/lib/sftd/hooks/group-created.d/*.sh are executed.

  • group-updated

    When a group is updated, scripts in /usr/lib/sftd/hooks/group-updated.d/*.sh are executed.

  • group-deleted

    When a group is deprovisioned scripts, in /usr/lib/sftd/hooks/group-deleted.d/*.sh are executed.

Scripts returned from the global path are sorted numerically.

Lifecycle-related environment variables


Hook Environment variable Contents
user-created SFT_HOOK_EVENT user-created
user-created SFT_HOOK_USERNAME alice.smith
user-updated SFT_HOOK_EVENT user-updated
user-updated SFT_HOOK_USERNAME alice.smith
user-deleted SFT_HOOK_EVENT user-deleted
user-deleted SFT_HOOK_USERNAME alice.smith


Hook Environment variable Contents
group-created SFT_HOOK_EVENT group-created
group-created SFT_HOOK_GROUPNAME everyone
group-updated SFT_HOOK_EVENT group-updated
group-updated SFT_HOOK_GROUPNAME AWS-eng
group-deleted SFT_HOOK_EVENT group-deleted
group-deleted SFT_HOOK_GROUPNAME t1-support