Okta Privileged Access accounts

Okta Privileged Access allows Okta users to access servers through a local server account. These individual user accounts, managed and created by Okta on each server, are referred to as the principal account for the Okta user.

These local server accounts can either be created on-demand or persist across multiple logins. The Okta Privileged Access agent installed on the server is responsible for the addition and removal of these accounts.

The default account setting is on-demand. Resource admins or delegated resource admins can enable the persistent account for a project. Only one user account can be used at a time.

On-demand account

When a user attempts to access a server, Okta Privileged Access creates an account. The account grants on-demand users regular user permissions, but not administrative permissions, while it's active.

On-demand accounts are deleted if the user logs out, loses access to the server, or if their access request has expired. On Windows servers, the user account associated with the session and their home directory is removed upon account expiry. This also results in the deletion of any data stored within the user's home directory.

To connect to a server through a bastion or Okta Privileged Access gateway, the server must be accessible from port 4421 of the bastion or gateway. However, for direct connections, the server must be accessible from port 4421 on the client. See Configure the Okta Privileged Access server agent.

Persistent account

Okta Privileged Access doesn't stop a user with permissions granted through the security policy from performing actions that a regular operating system user can do. This includes adding SSH keys to the ~/.ssh/authorized_keys file in the user's home directory on Linux systems to access the system outside of Okta Privileged Access security policies.

Okta recommends resource admins to use this feature cautiously and to disable persistent accounts if ongoing access isn't intended for users assigned to Okta Privileged Access.

In Okta Privileged Access, you have the option to enable persistent accounts for any project. Once enabled, a local account is automatically created on all servers within the project for all users who are assigned to Okta Privileged Access. This feature will be enabled regardless of the security policy settings, but users can access the server using these accounts only if they've been granted access through a security policy.

When a user logs in to one of these servers, they use the account that corresponds to their username in Okta Privileged Access. The username depends on the operating system of the server, which can be either unix_username or windows_username. See User attributes for additional information.

When you activate a persistent account and then deactivate it, all user accounts managed by Okta are deleted. If there are multiple users with identical attributes such as unix_uid, unix_username, or windows_username, Okta Privileged Access won't be able to determine which user should get that particular username or UID. As a result, a warning message is displayed on the project. These users won't be synced to any servers until an administrator takes corrective action to make the attributes of these users unique.

To configure persistent accounts for a project, enable the Account lifecycle setting in a project at any time.

Related topics

Projects

Add rules to a policy