Advanced Server Access components
An Advanced Server Access deployment contains a combination of the following components:
- Teams: The first step of every Advanced Server Access deployment is to create a team. A team can be considered a top-level container that contains all of the resources for a particular deployment.
- Groups: A group is a collection of users with some set of associated permissions. Two default groups are created for each deployment: everyone and owners. A group can have one or more team roles assigned to it. Members of a group inherit all roles and permissions of the group.
- Projects: A project is an authorization scope, similar to a domain in Active Directory. Each project associates a collection of resources (including users and servers) with a set of configurations, which include Role-Based Access Control (RBAC) and access policies.
- Users: A user is a person who belongs to a team. A user's permissions in Advanced Server Access are determined by their group memberships. Users authorize clients to be added to their client inventory so that they can receive credentials.
- Service user: Advanced Server Access supports automation through creating service users, which are granted permission to access specific operations in the Advanced Server Access platform, such as enabling trusted services to be granted access to your infrastructure. Service users can be added to groups in the same manner as non-service users. They differ from non-service users by using API keys for authentication purposes.
- Clients: Users install and enroll the Advanced Server Access client on their workstations in order to connect to servers enrolled in their team. The client is a multiplatform desktop application and command-line tool that mostly runs in the background to enable client integrations and manage authentication from a workstation.
- Servers: SSH and RDP access to servers is managed by the Advanced Server Access server agent. A server is enrolled in an Advanced Server Access project and the agent is installed on the server to allow authorized users to access it. A server can only be enrolled into one project. Servers can be enrolled into Advanced Server Access projects either automatically by associating a cloud account with a project, or by using enrollment tokens.
- Server user accounts: The Advanced Server Access server agent manages user accounts on Windows and Linux servers. If a user is deactivated in Okta, the server agent removes any related server user accounts, preventing unwanted access.
- Entitlements: Sudo entitlements can be created to allow non-admin users to use specific sudo commands without granting them the level of control that admins hold. Advanced Server Access admins can create a system of layered permissions, specifying the exact commands that users can run, based on the groups that they belong to.
- Attributes: Attributes are configuration settings that specify various characteristics of users and groups, such as Unix and Windows server usernames, UIDs, and GIDs. These attributes can be generated by following predetermined parameters. Administrators have full control over the attributes of the users and groups in their teams, which they can modify to avoid or resolve any attribute conflicts in existing deployments.