Add rules to a policy

Add rules to define the scope of resources and how to grant privileged access to these resources. The type of rule you can add depends on the policy type you've set up. The Okta service account policy only allows you to add rule types for Okta, while the default policy lets you add rules for any policy type except Okta.

You can add Default (Server, Secrets, or SaaS app service account) or Okta service account rules based on the policy that you've configured.

Before you begin

  • You must have an existing policy or be in the process of creating a policy. See Create or update a security policy.

  • You must have a security admin or delegated security admin role

Add rules for a default policy

You can add this rule for server, secrets, and SaaS app service accounts.

  1. Go to Security Administration Policies.
  2. Select the policy where you want to add a rule.

  3. Select Add rule, and then select one of the rule type:

    • Server rule

    • Secret rule

    • SaaS app service account rule

  4. If you selected Server rule, complete the following:

    Setting Action
    Rule name

    Enter a rule name

    Select the resources that you want to protect with this rule

    You can select resources by label or by name. Based on your selection, you need to perform other configurations.

    Select resources by label

    1. Toggle Select resources by label.

    2. In the Add resources field, search for and select a resource label. You can select multiple resource labels. See Security policy concepts to learn more about labels.

    Select resources by name

    1. Toggle Select resources by name.

    2. Select one or more accounts individually.

    Access method

    Select either one or both options on how you want principals to access the resources.

    • Access resources by individual account

    • Access resources by vaulted account

    Based on your selection, you need to configure the following:

    Access resources by individual account

    This option allows principals to sing in to resources with an individual account that Okta creates and manages automatically.

    Select one of the following options:

    • User-level permissions

    • Admin-level permissions

    • User-level with sudo commands

    If you select User-level with sudo commands, complete the following extra steps:

    1. In the Sudo commands field, enter a command name and press enter to select. You can add a maximum of 10 sudo command bundles per rule.

    2. In the End-user Display Name field, enter a nickname for the collection of sudo command bundles. The nickname is limited to 64 characters and you can only use the following characters: 0–9, A-Z, a-z, , -, _, and space.

    Access resources by vaulted account

    Type the account name in the Select vaulted accounts field and press enter on your keyboard to select the account. You can add one or more accounts.

    Enable session recording

    Optional. Okta resource admins must enroll and install a gateway before enabling session recording.

    1. Select Enable traffic forwarding through gateways.

    2. Select Record session through gateways.

    Approval requests

    Optional. Create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Select a workflow from the dropdown menu.

    2. Choose how long you want the approval to last.

    3. Select the setting to rotate the password after the approval duration ends.

    For Okta to take control of managing local account passwords on Windows servers, users must disable any password age restrictions that might prevent Okta from changing or rotating the password.

    Enable MFA

    Optional. Enable MFA to add a granular level of authentication and control within a policy.

    1. Toggle Enable MFA.

    2. Select one of the following options: Any two-factor types or Phishing resistant.

    3. Select one of the following re-authentication frequencies:

      • Every SSH or RDP connection attempt: You can choose to enforce MFA for each attempt to access the resource.

      • After the specified duration: By default, the specified duration is set to 30 minutes. You can specify a time duration ranging from 5 minutes to 12 hours.

    After the policy is implemented, when a user tries to connect with a resource, they'll need to complete the necessary MFA steps.

  5. If you selected Secret rule, compete the following:

    Setting Action
    Rule name

    Enter a rule name.

    Select the secret folder or secret you want to protect with this rule

    1. Click Select secret folder or secret.

    2. Select a secret folder or a secret

    3. Click Save.

    Select permissions

    Select the permissions. You must select at least one permission. See Secret permissions for details.

    Approval requests

    Create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Select the approval Request Type.

    2. Choose how long you want the approval to last.

    Enable MFA

    Optional. Enable MFA to add a granular level of authentication and control within a policy.

    1. Toggle Enable MFA.

    2. Select one of the following options: Any two-factor types or Phishing resistant.

    3. Select one of the following re-authentication frequencies:

      • Every guarded action a user takes: You can choose to enforce MFA for each attempt to access the resource.

      • After the specified duration: By default, the specified duration is set to 30 minutes. You can specify a time duration ranging from 5 minutes to 12 hours.

  6. If you selected SaaS app service account rule, complete the following:

    1. Enter a rule name.
    2. Select one of the following password update methods:

      • Automated

      • Manual

    3. If you selected the Automated method, complete the following:

      Setting Action
      Accounts to protect

      Select the accounts that you want to protect with this rule

      Select accounts by label

      1. Toggle Select accounts by label.

      2. Click the Accounts dropdown, and then add one or more labels.

      Select accounts by name

      1. Toggle Select resources by name.

      2. Select one or more accounts individually.

      Approval requests

      Optional. You must create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

      1. Select a workflow from the dropdown menu.

      2. Choose how long you want the approval to last.

      3. Select the setting to rotate the password after the approval duration ends.

      For Okta to take control of managing local account passwords on Windows servers, users must disable any password age restrictions that might prevent Okta from changing or rotating the password.

      Maximum checkout time

      Optional. This time limit applies to any resources in this policy that has checkout enabled.

      1. Toggle Override the project-level maximum checkout time.

      2. Set the Quantity and Unit.

    4. If you selected the Manual method, complete the following:

      Setting Action
      Permission for accounts

      Select Reveal, Updated, or both.

      Accounts to protect

      Select accounts by label.

      1. Toggle Select resources by name.

      2. Click the Accounts dropdown, and then add one or more labels.

      Select accounts by name

      1. Toggle Select resources by name.

      2. Select one or more accounts individually.

      Approval requests

      Optional. You must create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

      1. Select a workflow from the dropdown menu.

      2. Choose how long you want the approval to last.

      3. Select the setting to rotate the password after the approval duration ends.

      For Okta to take control of managing local account passwords on Windows servers, users must disable any password age restrictions that might prevent Okta from changing or rotating the password.

  7. Click Save rule. You can now publish this policy.

Add rules for Okta service account policy

Add this rule for Okta service accounts policy.

  1. Go to Security Administration Policies.
  2. Select the policy where you want to add a rule.

  3. Select Add rule, and then complete the following:

    Setting Action

    Rule name

    Enter a rule name.

    Accounts to protect

    You can select resources by label or by name. Based on your selection, you need to perform other configurations.

    Select accounts by name

    1. Toggle Select accounts by name.

    2. Select one or more accounts individually.

    Approval requests

    Optional. You must create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Select a workflow from the dropdown menu.

    2. Choose how long you want the approval to last.

    3. Select the setting to rotate the password after the approval duration ends.

    For Okta to take control of managing local account passwords on Windows servers, users must disable any password age restrictions that might prevent Okta from changing or rotating the password.

    Maximum checkout time

    Optional. This time limit applies to any resources in this policy that has checkout enabled.

    1. Toggle Override the project-level maximum checkout time.

    2. Set the Amount and Duration.

  4. Click Save rule.

  5. Click Save policy. You can now publish this policy.

Related topics

Security policy

Okta Privileged Access with Access Requests