Configure agent lifecycle management hooks for Okta Privileged Access
The Okta Privileged Access lifecycle hooks exposes an event bus on your servers that receives notifications when an admin updates the local users and group configurations. Okta Privileged Access admins can customize these lifecycle hooks with scripts to fit any routine tasks that they need to perform when they make these changes. The hooks run scripts for all matching files in the configured hooks directory. You can discover which operating system objects are affected depending on the event, and see which scripts are running. See Directories and scripts and Lifecycle-related environment variables.
Configuration option
The AccountLifecycleHooksDir option in sftd.yaml specifies the directory from
which the Okta Privileged Access agent loads lifecycle hook scripts. The following default
paths apply if this option isn't set:
| Operating system | Default hooks directory |
|---|---|
| Linux and macOS |
/usr/lib/sftd/hooks
|
| Windows |
C:\Program Files\ScaleFT\hooks
|
To override the default settings, add the AccountLifecycleHooksDir option to
sftd.yaml with the path to your hooks directory:
AccountLifecycleHooksDir: /path/to/your/hooks
If sftd is installed to a non-standard location, the agent can't determine the hooks
directory automatically. Set AccountLifecycleHooksDir explicitly in
sftd.yaml before you upgrade to ensure that lifecycle hooks continue to run after the
upgrade.
Procedure
Use the following steps as a guide to perform an on-host setup.
Before you begin, make sure you have an active Okta Privileged Access session open, and that you have admin authority on your target Linux server.
Create a custom script
-
From the command line, use SSH to connect to one of your target Linux servers.
-
Switch to root by running
sudo su -
Create a directory for the hooks script with the following command:
mkdir -p /usr/lib/sftd/hooks/user-created.d -
Using a text editor, create a file named
01-copyfiles.shand copy/paste the following bash script:Note: The following is an example that demonstrates the basic functionality of agent lifecycle hooks. Modify the script as needed to fit your specific integration.
#!/bin/bash SOURCE_FILES=/opt/sourcefiles cp $SOURCE_FILES/App?/home/"${SFT_HOOK_USERNAME}" if [ $? -eq 0 ] then echo "Successfully copied source files into /home/"${SFT_HOOK_USERNAME}"" >> /tmp/sourcefiles.out else echo "Error Copying source files into /home/"${SFT_HOOK_USERNAME}"" >> /tmp/sourcefiles.out -
Grant the script execute access:
chmod 755 01-copyfiles.sh -
Run the
ls -lcommand and confirm that permissions have been correctly set. The output should resemble the following:-rwxr-xr-x 1 root root 316 Jun 30 14:54 01-copyfiles.sh
Create source files
-
Create a directory for the source files by running the following commands:
cd /opt mkdir sourcefiles -
Next, create the source files with the following commands:
cd sourcefiles touch App1 App2 App3 -
Run the
lscommand and confirm that the filesApp1,App2, andApp3have been created.
Create a Okta user and assign them to an authorized group
- As an Okta administrator, go to the Admin Dashboard of the Okta tenant that manages your Okta Privileged Access application.
- Go to Applications and click Okta Okta Privileged Access .
- Click Assignments and then Groups. Remember the name of the group that has been assigned the application.
- In the Okta Admin Console, select Directory , People and then Add Person.
- Create a user with a memorable name.
- In the Okta Admin Console, go to Directory, and then click Groups. From here, select the group that was assigned to Okta Privileged Access in step 3.
Validate user provisioning on your Linux server
-
From the Linux command prompt, enter the following commands:
cd /home ls -l -
Verify that the home directory for your new user has been created.
-
Switch to the new user's home directory by running
cd <username>.You can verify that the files
App1,App2, andApp3exist in the user's home directory with thelscommand.
This is how you can use Okta Privileged Access agent lifecycle hooks to integrate any host-local automation, system, or external user directory with your users and groups in Okta.
Related information
Directories and scripts
The following directories and scripts are invoked depending on the user event that occurred. Paths shown use the default Linux and macOS base directory. If AccountLifecycleHooksDir is set in sftd.yaml, the base directory differs accordingly. The event type is captured in the SFT_HOOK_EVENT variable. See Lifecycle-related environment variables.
-
user-createdWhen a user is created, scripts in
/usr/lib/sftd/hooks/user-created.d/*.share executed. -
user-updatedWhen a user is updated, scripts in
/usr/lib/sftd/hooks/user-updated.d/*.share executed. -
user-deletedWhen a user is deleted, scripts in
/usr/lib/sftd/hooks/user-deleted.d/*.share executed.
Lifecycle-related environment variables
| Hook | Environment variable | Contents |
|---|---|---|
| user-created | SFT_HOOK_EVENT | user-created |
| user-created | SFT_HOOK_USERNAME | alice.smith |
| user-updated | SFT_HOOK_EVENT | user-updated |
| user-updated | SFT_HOOK_USERNAME | alice.smith |
| user-deleted | SFT_HOOK_EVENT | user-deleted |
| user-deleted | SFT_HOOK_USERNAME | alice.smith |