Checkout

The Okta Privileged Access checkout feature restricts access to privileged accounts to one user at a time for a specific duration. This allows orgs to track use and limit access to a set time frame. Depending on the resource type, users may stay signed in if active. Okta doesn't terminate checkout sessions. When access expires, Okta rotates the resource credentials. Admins can also force resource check in to make it available for other users.

Okta Privileged Access only manages user account passwords and doesn't handle the rotation of SSH keys or any other credentials.

How checkout works

Security admins can enable checkout for accounts within a specific project. After a security admin enables checkout, any policy that includes these accounts enforces it. You can set default maximum checkout periods for each project and resource, but you can also override these in the policy rules. Also, you can force users to check in a resource in critical situations such as threat detection.

Users can access accounts with checkout capabilities through their Okta Privileged Access dashboard. They can check out available accounts and are notified of the access duration. After they're done, they can check in the resources, and Okta rotates the credential for another user to check out. Depending on whether Access Requests or MFA are required, and their expiration or frequency, Okta may prompt the user to complete a challenge.

Related topics

Enable checkout

Force a checkin

Security policy

Use the Okta Privileged Access client

Okta Privileged Access user guide