Add rules to a policy

Add rules to define the scope of resources and how to grant privileged access to these resources. The type of rule you can add depends on the policy type you've set up. The Okta service account policy only allows you to add rule types for Okta, while the default policy lets you add rules for any policy type except Okta.

Before you begin

  • You must have an existing policy or be in the process of creating a policy. See Create or update a security policy.
  • You must have a security admin or delegated security admin role

Add rules for a default policy

You can add this rule for server, secrets, SaaS app service accounts, or Active Directory accounts.

  1. Go to Security AdministrationPolicies.

  2. Select the policy where you want to add a rule.
  3. Select Add rule, and then select one of the rule type: Server rule, Secret rule, SaaS app service account rule, or Active Directory account rule
  4. Complete one of the following based on your selection in the previous step:
  5. Click Save rule. You can now publish this policy.

Configure server rule

If you selected Server rule, complete the following:

Setting Action

Rule name

Enter a rule name

Select the resources that you want to protect with this rule

You can select resources by label or by name. Based on your selection, you need to perform other configurations.

Select servers by label

  1. Toggle on Select resources by label.
  2. In the Add resources field, search for and select a resource label. You can select multiple resource labels
  3. Select one or both of the following access methods: Access resources by individual account or Access resources by vaulted account.
  4. If you selected Access resources by individual account, select on of the following options: User-level permissions, Admin-level permissions, or User-level with sudo commands.
  5. If you selected User-level with sudo commands, complete the following steps:
    1. In the Sudo commands field, enter a command name and press enter to select. You can add a maximum of 10 sudo command bundles per rule.
    2. In the End-user Display Name field, enter a nickname for the collection of sudo command bundles. The nickname is limited to 64 characters and you can only use the following characters: 0–9, A-Z, a-z, , -, _, and space.
  6. If you selected Access resources by vaulted account, type the account name in the Select vaulted accounts field and press enter on your keyboard to select the account. You can add one or more accounts.

Select accounts by label

  1. Toggle on Select resources by name.
  2. Select one or more servers individually.

Enable session recording

Optional. Okta resource admins must enroll and install a gateway before enabling session recording.

  1. Select Enable traffic forwarding through gateways.
  2. Select Record session through gateways.

Approval requests

Optional. Create a request type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

  1. Toggle on Enable approval requests.
  2. Select the approval request type.
  3. Choose how long you want the approval to last.

Permissions for accounts

Optional. Click Reveal to enable users to decrypt the credentials of vaulted accounts and view them in plain text.

Enable MFA

Optional. Enable MFA to add a granular level of authentication and control within a policy.

  1. Toggle on Enable MFA.
  2. Select one of the following options: Any two-factor types or Phishing resistant.
  3. Select one of the following re-authentication frequencies: Every SSH or RDP connection attempt (Enforces MFA for each attempt to access the resource) or After the specified duration (Specify a time duration between five minutes and 12 hours, with the default being 30 minutes).

After the policy is implemented, when a user tries to connect with a resource, they'll need to complete the necessary MFA steps.

Configure secret rule

If you selected Secret rule, compete the following:

Setting Action

Rule name

Enter a rule name.

Select the secret folder or secret you want to protect with this rule
  1. Click Select secret folder or secret.
  2. Select a secret folder or a secret
  3. Click Save.

Select permissions

Select the permissions. You must select at least one permission. See Secret permissions for details.

Approval requests

Create a request type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

  1. Toggle on Enable approval requests.
  2. Select the approval request type.
  3. Choose how long you want the approval to last.

Enable MFA

Optional. Enable MFA to add a granular level of authentication and control within a policy.

  1. Toggle on Enable MFA.
  2. Select one of the following options: Any two-factor types or Phishing resistant.
  3. Select one of the following re-authentication frequencies:
    • Every SSH or RDP connection attempt: Enforces MFA for each attempt to access the resource.
    • After the specified duration: Specify a time duration between 5 minutes and 12 hours, with the default being 30 minutes.

Configure SaaS app service account rule

If you selected SaaS app service account rule, complete the following:

  1. Enter a rule name.
  2. Select one of the following password update methods:
    • Automated
    • Manual
  3. If you selected the Automated method, complete the following:
    SettingAction

    Accounts to protect

    You can select resources by label or by name. Based on your selection, you need to perform other configurations.

    1. Toggle on Select accounts by label.
    2. Click the Accounts dropdown list, and then add one or more labels.
    3. Toggle on Select resources by name.
    4. Select one or more accounts individually.

    Approval requests

    Optional. You must create a request type in Access Requests first so that the access request workflow is visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Toggle on Enable approval requests.
    2. Select the approval request type.
    3. Choose how long you want the approval to last.

    Permissions for accounts

    Optional. Select at least one of the following:

    • Reveal: Enables the user to decrypt credentials and view it in plain text.
    • Rotate Password: Grants the user permission to rotate the password.
    • Optional. Select Override Managed Password. This allows users to override the password to handle out-of-band password changes.

    Enable MFA

    Optional. Enable MFA to add a granular level of authentication and control within a policy.

    1. Toggle on Enable MFA.
    2. Select one of the following options: Any two-factor types or Phishing resistant.
    3. Select one of the following re-authentication frequencies:
      • Every guarded action a user takes: Enforces MFA for each attempt to access the resource.
      • After the specified duration: Specify a time duration between five minutes and 12 hours, with the default being 30 minutes.

    After the policy is implemented, when a user tries to connect with a resource, they need to complete the necessary MFA steps.

    Maximum checkout time

    Optional. This time limit applies to any resources in this policy that has checkout enabled.

    1. Toggle on Override the project-level maximum checkout time.
    2. Set the Quantity and Unit.
  4. If you selected the Manual method, complete the following:
    SettingAction

    Permission for accounts

    Optional. Select at least one of the following:

    • Reveal: Enables the user to decrypt credentials and view it in plain text.
    • Update: Grants the user permission to change the credential value.

    Accounts to protect

    1. Toggle on Select resources by name.
    2. Click the Accounts dropdown list, and then add one or more labels.
    3. Toggle on Select resources by name.
    4. Select one or more accounts individually.

    Approval requests

    Optional. You must create a request type in Access Requests first so that the access request workflow is visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Toggle on Enable approval requests.
    2. Select the approval request type.
    3. Choose how long you want the approval to last.

    Enable MFA

    Optional. Enable MFA to add a granular level of authentication and control within a policy.

    1. Toggle on Enable MFA.
    2. Select one of the following options: Any two-factor types or Phishing resistant.
    3. Select one of the following re-authentication frequencies:
      • Every guarded action a user takes: Enforces MFA for each attempt to access the resource.
      • After the specified duration: Specify a time duration between five minutes and 12 hours, with the default being 30 minutes.

    After the policy is implemented, when a user tries to connect with a resource, they need to complete the necessary MFA steps.

Configure Active Directory account rule

If the security policy is configured for a specific resource group, then both the Active Directory account and the server must belong to the same resource group. Otherwise, remote access through RDP fails, preventing successful connection.

If you selected Active Directory account rule, complete the following:

Setting Action

Rule name

Enter a rule name.

Accounts to protect
  1. Click the Select individual accounts checkbox.
  2. Optional. Select an Operator, and then enter a Value.
  3. Optional. Enter one or more domain names in the Domains field.
  4. Click the Select shared accounts by matching names checkbox.
  5. Enter one or more accounts in the Accounts name field.
  6. Optional. Enter one or more domain names in the Domains field.
  7. Under Select share accounts by specific accounts, use the search bar to search for an account, and then select one or more accounts.

Shared Accounts by Name match any account by that name. The account doesn't need to exist and any account, now or in the future, which has that name is a match.

When selecting specific accounts, you're actually selecting an exact account and SID. If the account is deleted and recreated in that domain with the same name but a different SID it will no longer be a match for this policy and would need to be reselected.

Permissions for account

Select at least one of the following options:

  • Reveal: Enables the user to decrypt credentials and view it in plain text.
  • Rotate Password: Grants the user permission to rotate the password.
  • RDP session: Grants the user permission to initiate an RDP session on Windows servers.
  • The following option becomes available when you select RDP session . You can specify servers in an Active Directory (AD) policy rule, allowing users to start RDP sessions on those servers with the targeted AD accounts.
    1. Select By label.
    2. In the Add resources field, search for and select a server label. You can select multiple server labels.
    3. Select By name, and then select one or more servers individually.
    4. Choose one of the following options to determine Okta Privileged Access's management of local group membership. The first two options add the account to either the Administrators group or the Remote Desktop Users group. If you're using another method for managing local groups, select Not to be added to any local groups.
      • Be added to "Remote Desktop Users" group
      • Be added to "Administrators" group
      • Not be added to any local group.

      This doesn't apply to domain controllers unless the sftd.yaml file on the domain controller is configured to allow group management. See Windows domain controller.

  • SSH Session: Enables authenticated Active Directory domain accounts to connect to Linux servers in their AD domain though SSH.

    Using a non-fully qualified username without an existing local user prevents Active Directory account creation and causes sign-in failure.

    1. Select By label.
    2. In the Add resources field, search for and select a server label. You can select multiple server labels.
    3. Select By name, and then select one or more servers individually.

Session recording

Optional. Okta resource admins must enroll and install a gateway before enabling session recording.

  1. Select Enable traffic forwarding through gateways.
  2. Select Record session through gateways.

If you enable traffic forwarding and session recording, this condition applies to both RDP and SSH sessions.

Approval requests

Optional. You must create a request type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

  1. Toggle on Enable approval requests.
  2. Select the approval request type.
  3. Choose how long you want the approval to last.

Enable MFA

Optional. Enable MFA to add a granular level of authentication and control within a policy.

  1. Toggle on Enable MFA.
  2. Select one of the following options: Any two-factor types or Phishing resistant.
  3. Select one of the following re-authentication frequencies:
    • Every SSH or RDP connection attempt: Enforces MFA for each attempt to access the resource.
    • After the specified duration: Specify a time duration between 5 minutes and 12 hours, with the default being 30 minutes.

After the policy is implemented, when a user tries to connect with a resource, they'll need to complete the necessary MFA steps.

Maximum checkout time

Optional. This time limit applies to any resources in this policy that has checkout enabled.

  1. Toggle on Override the project-level maximum checkout time.
  2. Set the Amount and Duration.

Add rules for Okta service account policy

Add this rule for Okta service accounts policy.

  1. Go to Security AdministrationPolicies.

  2. Select the policy where you want to add a rule.
  3. Select Add rule, and then complete the following:
    SettingAction

    Rule name

    Enter a rule name.

    Accounts to protect

    You can select resources by label or by name. Based on your selection, you need to perform other configurations.

    Select accounts by name

    1. Toggle on Select accounts by name.
    2. Select one or more accounts individually.

    Approval requests

    Optional. You must create a request type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests.

    1. Toggle on Enable approval requests.
    2. Select the approval request type.
    3. Choose how long you want the approval to last.

    Enable MFA

    Optional. Enable MFA to add a granular level of authentication and control within a policy.

    1. Toggle on Enable MFA.
    2. Select one of the following options: Any two-factor types or Phishing resistant.
    3. Select one of the following re-authentication frequencies:
      • Every guarded action a user takes: Enforces MFA for each attempt to access the resource.
      • After the specified duration: Specify a time duration between 5 minutes and 12 hours, with the default being 30 minutes.

    After the policy is implemented, when a user tries to connect with a resource, they'll need to complete the necessary MFA steps.

    Maximum checkout time

    Optional. This time limit applies to any resources in this policy that has checkout enabled.

    1. Toggle on Override the project-level maximum checkout time.
    2. Set the Amount and Duration.
  4. Click Save rule.
  5. Click Save policy. You can now publish this policy.

Related topics

Security policy

Okta Privileged Access with Access Requests