Privileged elevation

As a Okta Privileged Access security admin, you may need to decide which team members can have full admin permissions on particular servers.

When a user is given access to a server, a local account is created for the user with default user permissions. With privileged elevation, the Okta Privileged Access security admin can optionally decide to grant the user administrative access to the server.

Once privileged elevation is enabled, users can access the server through the following methods:

  • RDP access to Windows servers: The user account is added to the local administrators group, granting full local administrator permissions while logged in.
  • SSH access to Linux servers: Sudo is configured on the Linux server to grant the Okta user full sudo privileges while logged in.

Privileged elevation rules

  • Only Okta Privileged Access security admins can enable privileged elevation.
  • When a user has an active non-admin session on a server and then initiates an admin session on the same server, the non-admin session is automatically terminated. However, any active sessions that have the same permission level as the new session remains unaffected.
  • If there's only one policy that grants admin permission through privileged elevation, the user is connected to the server directly. If there are multiple policies, the user needs to select the server they want to connect to using SSH or RDP.
  • Port 4421 is required to use privileged elevation for Persistent account.
  • Okta Privileged Access secures local accounts on servers, including vaulted and individual accounts. However, privileged elevation is only available for individual accounts that Okta Privileged Access manages for each user. Okta doesn't manage privileged elevation for vaulted accounts.

Enable privileged elevation

To enable privileged elevation, see Create or update a security policy.

Related topics