Active Directory account rules
Early Access release
Active Directory (AD) account rules are designed to automate the management of AD accounts in Okta Privileged Access.
There are two types of account rules:
-
Shared account rules: Used to manage accounts that multiple people use and that don't belong to a single user. These accounts are shared among a team, such as an admin account owned by the Active Directory team or a shipping account managed by the logistics team.
-
Individual account rules: Meant for accounts that belong to specific users. In an AD environment, there are typically separate dedicated accounts used by privileged users so that their daily accounts don't have privileged access. These admin accounts are intended solely for individual use and are named with a prefix or suffix that indicates they're admin accounts. For example, they may look like adm.Jane.Doe@ad.domain.net or clark.kent-admin@ad.dailyplanet.org. Before creating an individual account rule, it's necessary to configure the individual account settings first.
An individual account rule determines how Okta Privileged Access maps an individual account to its primary user. A policy rule then controls whether a user can access their own individual admin account and specifies the conditions applied to that access. A user can only view their own individual account.
Okta Privileged Access supports several options for correlating these accounts with their respective owners.
Before you begin
-
You must have an Okta Privileged Access resource admin role.
-
Review requirements and limitations and complete the required steps.
-
To create an individual account rule, you must first configure individual account rule settings.
Configure individual account rule settings
If you haven't already configured this setting, a notice in a yellow banner will be visible on the Account rules page.
-
On the Okta Privileged Access dashboard, go to .
-
Select the Active Directory tab, and then select the AD domain you want to configure.
-
Click Configure settings on the notification banner.
-
Specify the user matching criteria for exact matches. Select one or more of the following:
-
Account name
-
First and last name
-
Display name
-
Email
-
Starts with (prefix)
-
Ends with (suffix)
You can configure multiple prefix and suffix strings along with other options. When these options are set up, they function as an OR operation, meaning that any of the configured options can be used to correlate and assign individual accounts. If multiple Active Directory (AD) accounts match a single user, all of those accounts will be assigned to that user. This allows a single user to own and have multiple AD accounts assigned to them.
-
Examples for Starts with and Ends with configuration
The following are examples on how you can use the Starts with and Ends with operators:
-
For naming schemes like admin.Username, you can filter by entering: Starts with = admin.
-
If you have an Active Directory naming scheme such as Username-A, you can enter Ends with = -A.
-
For naming schemes such as Username-A, you can filter by entering: Ends with = -A.
-
For multiple naming schemes like tier0.Username, tier1.Username, tier2.Username, you can filter by entering:
-
Starts with = tier0
-
Starts with = tier1
-
Starts with = tier2
-
Create an individual account rule
You can create multiple rules for an Active Directory (AD) domain. Each rule specifies whether it's mapping a shared or individual account, the organizational unit (OU) under which the rule is defined, and the resource group and project to which the accounts will be assigned.
You must configure the individual account rule setting to create an individual account rule. Individual account rules are disabled until the individual account rule settings are configured.
Accounts must be imported into Okta before they can be discovered by Okta Privileged Access. The frequency of AD agent imports affects the frequency in which accounts appear in Okta Privileged Access.
-
Open the Okta Privileged Access dashboard.
-
On the Okta Privileged Access dashboard, go to .
-
Select the Active Directory tab, and then select the AD domain you want to configure.
-
Select the Account rules tab.
-
Click
, and then complete the following steps:-
Select a Rule type.
-
Enter a Rule name.
-
Select a Resource group.
-
Select a Project.
-
Specify an organization unit, for example, ou=AdminAccounts,ou=Privileged,dc=corp,dc=atko,dc=biz
-
Optional. Click Add another input to add another OU.
-
New rules have the lowest priority, if there are more than one rule. To change the priority, see Edit rule priority.
Create a shared account rule
Create shared account rules to manage accounts that multiple people use.
-
On the Okta Privileged Access dashboard, go to .
-
Select the Active Directory tab, and then select the AD domain you want to configure.
-
Select the Account rules tab.
-
Click
, and then complete the following steps:-
Select a Rule type.
-
Enter a Rule name.
-
Select a Resource group.
-
Select a Project.
-
Specify an OU. For example, ou=SharedAccounts,dc=Privileged,dc=corp,dc=atko,dc=biz
-
Optional. Click Add another input to add another OU.
-
New rules have the lowest priority, if there are more than one rule. To change the priority, see Edit rule priority.
Edit rule priority
All new rules are added as a last priority, if there are more than one rule. You can change the priority of a rule by editing the priority.
-
On the Okta Privileged Access dashboard, go to .
-
Select the Active Directory tab, and then select the AD domain you want to configure.
-
Select the Account rules tab.
-
Click Edit priority.
-
Drag-and-drop a rule to prioritize it, or click the overflow menu and select the available options to move the priority up or down.
-
Click Save priority.