Security policy
A security policy controls which principals are granted privileged access to one or more resources. As a security admin, you create a policy, assign principals to the policy, and add one or more rules.
When creating a rule, you can establish specific conditions that users must meet to access a resource that's safeguarded by Okta Privileged Access. These rules can be customized for different resources by stacking or adding them until they cover all the privileged access needed for the set of principals. By doing this, you can set different controls over different resources to ensure that only authorized users can access them.
You can assign security administration to groups assigned as delegated security admins. The delegated security admins can then create policies that apply to resource groups for which they're the security owners. Security policies written by delegated security admins only apply to the resource group they selected when creating the policy. See Add a delegated security admin.
Prerequisites
- Ensure that you're signed in to Okta Privileged Access.
- You must have the Okta Privileged Access security admin role or a delegated security admin role.
- Review Security policy concepts.
-
Learn how multiple authentication and authorization conditions affect user access. See Rule conditions.
Create or update a security policy
To create a policy, you need to add a policy name, assign principals, and create rules that apply to the principals. After a policy is created, it must be published. A policy doesn't have any effect until it's published.
- Go to .
- Click Create Policy.
- Enter a policy name and description.
-
Configure the resource group information.
Setting Action All resource groups Select this option to apply the policy to all resource groups. Delegated security admins can't select this option.
Specify a resource group
Select this option to apply the policy to a specific resource group.
Maximum checkout time
Optional. This time limit applies to any resources in this policy that has checkout enabled.
-
Toggle Override the project-level maximum checkout time.
-
Set the Amount and Duration.
-
- Click .
- Select one or more groups that you want to add or modify, and then click Save.
- Add rule to define the scope of resources and how to grant privileged access to these resources.
You can configure the following rules: Server rule and Secret rule.
- To add a server rule, select
Setting Action Rule name Enter a rule name. Choose a session type Use the dropdown menu and choose a session type. Select the resources that you want to protect with this rule You can select resources by label or by name. Based on your selection, you need to perform other configurations. Select resources by label
- Turn on the Select resources by label toggle.
- In the Add resources field, search for and select a resource label. You can select multiple resource labels. See Security policy concepts to learn more about labels.
Select resources by name
- Turn on the Select resources by name toggle.
- Select one or more accounts individually.
Access method Select either one or both options on how you want principals to access the resources. Access resources by individual account
Access resources by vaulted account
Based on your selection, you need to configure the following:
Access resources by individual account
This option allows principals to sing in to resources with an individual account that Okta creates and manages automatically.
Select one of the following options:
User-level permissions
Admin-level permissions
User-level with sudo commands
If you select User-level with sudo commands, complete the following extra steps:
In the Sudo commands field, enter a command name and press enter to select. You can add a maximum of 10 sudo command bundles per rule.
In the End-user Display Name field, enter a nickname for the collection of sudo command bundles. The nickname is limited to 64 characters and you can only use the following characters: 0–9, A-Z, a-z, , -, _, and space.
Access resources by vaulted account
Type the account name in the Select vaulted accounts field and press enter on your keyboard to select the account. You can add one or more accounts.
Enable session recording Optional. Okta resource admins must enroll and install a gateway before enabling session recording. - Select Enable traffic forwarding through gateways.
- Select Record session through gateways.
Configure approval requests Optional. Create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests. - Select a workflow from the dropdown menu.
- Choose how long you want the approval to last.
- Optional. Select the setting to rotate the password after the approval duration ends.
For Okta to take control of managing local account passwords on Windows servers, users must disable any password age restrictions that might prevent Okta from changing or rotating the password.
Enable MFA Optional. Enable MFA to add a granular level of authentication and control within a policy. Turn on the Enable MFA toggle.
Select one of the following options: Any two-factor types or Phishing resistant
Select one of the following re-authentication frequencies:
- Every SSH or RDP connection attempt
- You can choose to enforce MFA for each attempt to access the resource.
- After the specified duration
- By default, the specified duration is set to 30 minutes. You can specify a time duration ranging from 5 minutes to 12 hours.
After the policy is implemented, when a user tries to connect with a resource, they'll need to complete the necessary MFA steps.
. To add a secret rule, select
.Setting Action Rule name Enter a rule name. Select the secret folder or secret you want to protect with this rule Click Select secret folder or secret.
Select a secret folder or a secret
Click Save.
Select Permissions Select the permissions. You must select at least one permission. See Secret permissions for details. Approval requests Create a Request Type in Access Requests first for the access request workflow to be visible in the security policy. See Okta Privileged Access with Access Requests. Select the approval Request Type.
Choose how long you want the approval to last.
- To add a server rule, select
- Click Save policy. You can now publish this policy.
Publish a policy
After a policy is created it must be published.
When a published policy is changed, the changes are applied immediately without the need to publish the policy again.
- Go to
- On the policy you want to publish, click Actions.
- Click Publish to grant access to the policy.
Clone a policy
Security admins can clone an existing policy instead of creating an entirely new policy from scratch.
- Go to
- On the policy you want to clone, click Actions.
- Select Clone.
- Click Save Policy.