Group Management


Advanced Server Access provides group management by optionally allowing a group of users in Advanced Server Access which has been granted permissions on a project to be synchronized as a local system group to servers in that project.

No additional configurations are added to Advanced Server Access-managed groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.. These synchronized groups exist to support extensible configuration of permissions for users managed by Advanced Server Access with external configuration management tools. When a group is granted AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. rights on a project, those rights are managed independently of Advanced Server Access’s group management. It is not required to synchronize a group in order to grant Admin rights to that group.

By default, user groups in Advanced Server Access are not synchronized to servers. This feature must be explicitly enabled for each group to be managed.

Advanced Server Access’s Group Management feature is currently only generally available for Linux. Please contact Support to learn about our roadmap for supporting this feature on Windows.

Creating a Group

This feature can be enabled when adding a group to a project or when updating a group that is on a project by checking the box to "Sync groups to servers." The group will only be synced to servers that are enrolled in the project(s) on which you have enabled the flag for that group.

Groups managed by Advanced Server Access will contain the server user accounts that correspond to the Advanced Server Access users present in that group in the Advanced Server Access platform.

Synchronized Group Name

On Linux

To avoid naming collisions, groups created by the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. are prefixed with sft_. Groups created by Advanced Server Access are assigned a GID on a per project basis incrementally, starting with 63001. If the agent encounters a conflict with either the name or GID, it will attempt to take ownership of the conflicting group.

Viewing a Group

You can verify what groups the agent will manage from the Permissions tab of the project under the Managed Server Groups section.

Updating a Group

To change whether or not a group will be synced to a server and managed by the agent, you may use the “Edit” button from the “Permissions” tab for the project. Check the “Sync groups to servers” option. If you later edit this group to not be synced to the server, the group will be deleted from the server and any users that were members of the group will be removed from it.

Deleting a Group

If you remove the group from the project or disable syncing the group to the project, the group will be removed from the server.