Okta PolicySync

Flexible least privilege access controls
CIAM

Bring Zero Trust to your Linux and Windows servers

Make sure people have access to the servers they need to do their jobs—no more, no less.

Okta PolicySync enables Advanced Server Access administrators to apply fine-grained role, attribute, and time-based access controls across dynamic hybrid and multi-cloud infrastructure environments.

How PolicySync helps

Flexible control

Allow users to access some—but not all—servers within a project and across multiple projects.

Apply attribute-based access controls to user groups based on labels, a key-value pair applied at the server level. And assign groups to servers across projects for more customized controls.

Ultimately, this gives you RBAC that maps to your unique org structure.

Simple setup

Assign groups access to servers based on projects or labels. Then easily provision users and groups to downstream servers, along with any applied sudo entitlements.

Leverage your labels

Automatically import metadata tags and labels from your existing IaaS environments, such as AWS and GCP, to align Okta controls with your infrastructure configurations. We know many organizations have already made investments in labeling servers in IaaS clouds, so we’ll help you leverage those investments.

Zero Trust made easy

Better adhere to the principles of least privilege access with less complexity. All access is centered on identity, making it easier to apply fine-grained policies that are enforced in practice.

Time-saving automation

Avoid getting bogged down with clunky, disparate admin systems that aren’t cloud-aware and break at scale. Everything in Okta is fully automated, adapting to the dynamic nature of your cloud infrastructure.

Set it and forget it

Once Okta Advanced Server Access is deployed across your infrastructure, your work is done – identities and policies automatically propagate across your server fleets, synchronized with your Identity Provider and IaaS configurations.

Manage access with PolicySync

Role-based access controls
  • Assign Okta groups to be authorized for collections of servers
  • Fully automate end-to-end lifecycle management of server users and groups 
  • Apply command-level entitlements to groups for Linux
Role based access
Attribute based access
Attribute-based access controls
  • Further segment access to collections of servers by labels, i.e. “prod-compliance”
  • Integrate with downstream IaaS providers, like Amazon Web Services (AWS) and Google Cloud Platform (GCP), to import resource tags
  • Adapt to elastic, autoscaling infrastructure with native IaaS resource synchronization
Time-based access controls
  • Restrict access to collections of servers for a predetermined time window assigned to specific users
  • Stitch together event-driven automation to tie authorization to workflows, like ticket systems, chat apps, and more
  • Lean on automation to decommission limited access without having to track it yourself
Time based access

What does this look like in practice?

Only members of the DevOps team can access the servers in the CI/CD cluster, and only members of the Data team can access the servers in the Database cluster. You can restrict privileged commands for the Data team, so they can only perform actions related to their job. 

Additionally, you can apply group assignments to labels, which you can configure or import from AWS. For example, you may have several servers that handle payment processing and are subject to PCI-DSS guidelines. You can assign these servers fine-grained control, across all projects, based on a label name.

ASA Policy Sync image

See Advanced Server Access in action