Components

A Okta Privileged Access deployment contains a combination of the following components:

Component Description
Clients The Okta Privileged Access client is a command-line tool installed on a workstation. After a user installs and enrolls the client in an Okta Privileged Access project, the client provides access to server resources enrolled within the same project.
Groups A group is a collection of users with some set of associated permissions. Two default groups are created for each team: everyone and owners.

A group can have one or more team roles assigned to it. Every member of a group inherits the assigned roles.

Projects Projects exist within resource groups and are administrative boundaries that contain resources. They have a set of configuration options such as server tokens, account discovery, password settings, and SSH configuration. Currently, the supported resources within a project are servers and server accounts.
Policy A security policy controls which groups (principals) are granted privileged access to resources.
Principal Users and groups that are associated with the policy and are granted access to the matched resources. It can be local groups created in Okta Privileged Access or groups that are synchronized from Okta. The policy applies to any new users added to the group.
Resource groups A resource group is an administrative boundary that has one or more projects that the owners of the resource group can manage. See Resource groups
Resources Resources are servers and other entities that the end users can access. See Security policy.
Servers The Okta Privileged Access server agent controls SSH and RDP access to remote servers enrolled in an Okta Privileged Access project.

A server is only enrolled in a single project. Teams can automatically enroll servers into projects with an associated cloud account, or manually with an enrollment token.

Service user Service users are special accounts not tied to a real person. Teams can use a service user to automate actions using the Okta Privileged Access API or to grant access to specific operations in the Okta Privileged Access platform.
Teams A team is a top-level container for your organization’s Okta Privileged Access instance. Each team has a unique name and an associated Identity Provider (IdP). There can only be a single team associated with an Okta org and the team name must be unique across all Okta Privileged Access customers.

All other configuration objects in Okta Privileged Access are scoped to a specific team.

Users A user is a person who belongs to a team and authenticates with that team's Identity Provider. Okta Privileged Access defines user permissions based on group memberships.

Users authorize clients to be added to their client inventory so that they can receive credentials.