Security policy

A security policy controls which principals are granted privileged access to one or more resources. You can create the following types of policies:

Default: Applies to servers, secrets, and SaaS app service accounts.
Okta service accounts: Applies to Okta user accounts that are managed as service accounts.

As a security admin, you create a policy, assign principals to the policy, and add one or more rules. When creating a rule, you can establish specific conditions that users must meet to access a resource that's safeguarded by Okta Privileged Access. These rules can be customized for different resources by stacking or adding them until they cover all the privileged access needed for the set of principals. By doing this, you can set different controls over different resources to ensure that only authorized users can access them.

You can assign security administration to groups assigned as delegated security admins. The delegated security admins can then create policies that apply to resource groups for which they're the security owners. Security policies written by delegated security admins only apply to the resource group that they selected when creating the policy. See Add a delegated security admin.

Before you begin

Ensure that you're signed in to Okta Privileged Access.
You must have the Okta Privileged Access security admin role for the Default policy type.
The policy for Okta service accounts requires the user to have the Okta Privileged Access security admin role and the super admin role.
Review Security policy concepts.
Learn how multiple authentication and authorization conditions affect user access. See Rule conditions.

Create or update a security policy

To create a policy, you need to add a policy name, assign principals, and create rules that apply to the principals. After a policy is created, it must be published. A policy doesn't have any effect until it's published.

Create a default policy

User the default option to create policies for servers, secrets, or SaaS app accounts.

Go to Security Administration Policies.
Click Create policy, and then select Default.
Enter a policy name and description.
Delegate policy administration by selecting one of the following options:
- All resource groups
- Specific resource groups. If you select this option, click the dropdown menu and select a resource group.
Click Add Principals, or click the edit icon (pencil) to update.
Select one or more groups that you want to add or modify, and then click Save.
Click Add Rule.
Click Add rule, and then configure the rule settings. See Add rules for a default policy for instructions.
Click Save policy. You can now publish this policy.

Create a policy for Okta service accounts

Use this policy for Okta privileged accounts.

Go to Security Administration Policies.
Click Create policy, and then select Okta privileged account.
Enter a policy name and description.
Delegate policy administration by selecting one of the following options:
- All resource groups
- Specific resource groups. If you select this option, click the dropdown menu and select a resource group.
Click Add Principals, or click the edit icon (pencil) to update.
Select one or more groups that you want to add or modify, and then click Save.
Click Add rule, and then configure the rule settings. See Add rules for Okta service account policy for instructions.
Click Save. You can now publish this policy.

Publish a policy

After a policy is created it must be published.

When a published policy is changed, the changes are applied immediately without the need to publish the policy again.

Go to Security Administration Policies.
On the policy you want to publish, click Actions.
Click Publish to grant access to the policy.

Clone a policy

Security admins can clone an existing policy instead of creating an entirely new policy from scratch.

Go to Security Administration Policies.
On the policy you want to clone, click Actions.
Select Clone.
Click Save Policy.