Okta Privileged Access with Access Requests

When customers sign up for Okta Privileged Access, an Access Requests org is provisioned, and a team is automatically generated. By default, Access Requests provisions accounts for all Okta super admins and Access Requests admins, but any other users or groups must be explicitly authorized.

When you integrate Okta Privileged Access with Access Requests, the Okta Privileged Access security admin can include a request/approval requirement in the security policy. An Access Requests admin configures the request approval conditions by creating a Request Type, and then the Okta Privileged Access security admin can use the Request Type in the Okta Privileged Access security policy. Security admins can protect access to privileged resources by adding a condition that requires end users to send a request to access a resource. A designated user or a user group must approve the request.

How Access Requests works with Okta Privileged Access

Step User Task

1.

Okta Access Requests Administrator

Creates one or more Request Types to be used in the Okta Privileged Access security policy.

2.

 Okta Privileged Access Security Administrator Enables conditions in the security policy to require approval before granting privileged access to a resource. This is done by adding a rule to a policy and selecting the Request Type to use.

3.

 Okta Privileged Access User

User tries to access a privileged resource.

The user's request is checked against the Okta Privileged Access policy, and based on the policy, an access request is automatically initiated if required.

4.

Okta Privileged Access Request approvers

Approves or rejects the request.

Approvers receive notification that a pending approval is needed. The approval process is based on how the Access Request solution is configured and the channels used by the organization to notify the approver.

Set Up Okta Privileged Access Connection in Access Request

Okta Privileged Access is provisioned with a set of Access Requests capabilities. When setting up an Okta Privileged Access connection in Access Requests, you must configure the Okta Privileged Access connector in Access Requests, and then create one or more Request Types. Once the Request Type is created and published, the approval conditions are visible in the Okta Privileged Access security policy. Okta Privileged Access security administrators can then enable those conditions. After the condition is enabled to require request approval, when users try to access a resource, an access request is automatically initiated.

Access Requests admin, the requester (end user), and the approver can use the Access Requests console to view updates relevant to their request. For example, the end user can view the status of their request, and approvers can view the history of requests they received.

When setting up Access Requests with Okta Privileged Access, the ability to create a resource list is unavailable.

Prerequisites

  • Ensure that you're signed in as an Access Requests admin.

  • Ensure that the latest version of the Okta Privileged Access client installed.

Configure the Okta Privileged Access connection in Access Requests

The first step is to establish a Okta Privileged Access connection in Access Requests. Once the connection is established between Okta Privileged Access and Access Requests, you can create the Request Types that will be visible in the Okta Privileged Access security policy.

  1. In the Access Requests console, go to Settings.

  2. Click Connect on the Okta Privileged Access card.

  3. On the dialog that appears, do the following:

    1. Enter your Okta Privileged Access team name and click Connect.

    2. Under Teams, use the dropdown menu and select your Okta Privileged Access team.

    3. Ensure that Approve Access Request and Deny Access Request are enabled.

    4. Click Update connection.

Create a Request Type

You must complete several specified and required steps to successfully build a Request Type that works with an Okta Privileged Access policy. At minimum, you must add the following steps in the request/approval process:

  • A top-level approval task
  • An action to approve the request
  • An action to deny the request

Optionally, you can add other steps to the process. For example, you can require the end user to provide a business justification for the request.

Okta Privileged Access doesn't use or enforce the due date setting in Access Requests.

Task 1: Add the Request Type details

  1. In the Access Requests console, go to Teams All.
  2. Click the Privileged Access card.
  3. Select the Request types tab.
  4. Click Add request type.
  5. In the dialog that appears, do the following:
    1. Enter a name and add a description. Take note of the name, as you need it when creating a Okta Privileged Access policy.
    2. Select a Team.
    3. Select an Audience.
    4. Click Continue.

Task 2: Add an approval task

You must add a top-level approval task to the Request Type.

  1. Click Add to request type on the Approval section.

  2. On the Tasks and Actions page, do the following:

    1. In the Text field, enter the text that displays in the Access Request question.

    2. Select Make it a required task .

    3. In the Assigned to field, select an assignee. This is the approver for your request.

Task 3: Configure approve Access Requests action

  1. Click Action Okta Privileged Access.

  2. Select Approve Access Request. A new action item is created.

  3. In the Text field, enter the text that is displayed in the question.

  4. Select Make it a required.

  5. Select Run automatically to run the action automatically. The Assigned to file is automatically populated.

  6. Optional. Set a due date.

  7. Select the Logic tab and do the following:

    1. Select Only show this task if from the dropdown menu.

    2. On Field or task, select the name of the approval task you created and then select is approved.

Task 4: Update the logic in approval tasks

  1. Select the approval task that you created earlier. There will now be a Logic tab available for configuration.

  2. Click the Logic tab.

  3. Select Always show this task.

Task 5: Configure deny Access Requests task

  1. Click Action Okta Privileged Access.

  2. Select Deny Access Request. A new action item is created.

  3. In the Text field, enter a subject for the task.

  4. Select Make it a required task .

  5. Select Run automatically to run this action automatically. The Assigned to field is automatically populated.

  6. Optional. Add a due date.

  7. Select the Logic tab and do the following:

    1. Select Only show this task if from the drop-down menu.

    2. On the Field or task, select the name of the approval task you created.

    3. In the Conditions field, select is denied.

  8. Review you and then click Publish.

Okta Privileged Access security administrator can now enable this newly created Request Type condition when creating a policy. See Create or update a security policy.

Task 6: Test Access Requests configuration

To test Access Requests with Okta Privileged Access, you must complete the following steps:

  1. Add your server and local accounts to Okta Privileged Access. See Configure server settings .
  2. Create a policy to protect access to one more onboarded account. See Create or update a security policy.
  3. Publish the policy. See Publish a policy.
  4. End users can then use the Okta Privileged Access client to test the configuration by accessing the server to SSH into the account that requires an approval. See Use the Okta Privileged Access client.
  5. When a user tries to access a server, a request is automatically generated and the approver receives the access request notification. The status of the request can be viewed on the Access Requests console.

Related topic

Create or update a security policy

Rule conditions