Bring Zero Trust to your Linux and Windows servers
Make sure people have access to the servers they need to do their jobs—no more, no less.
Okta PolicySync enables Advanced Server Access administrators to apply fine-grained role, attribute, and time-based access controls across dynamic hybrid and multi-cloud infrastructure environments.
How PolicySync helps
Allow users to access some—but not all—servers within a project and across multiple projects.
Apply attribute-based access controls to user groups based on labels, a key-value pair applied at the server level. And assign groups to servers across projects for more customised controls.
Ultimately, this gives you RBAC that maps to your unique org structure.
Assign groups access to servers based on projects or labels. Then easily provision users and groups to downstream servers, along with any applied sudo entitlements.
Leverage your labels
Automatically import metadata tags and labels from your existing IaaS environments, such as AWS and GCP, to align Okta controls with your infrastructure configurations. We know many organisations have already made investments in labelling servers in IaaS clouds, so we’ll help you leverage those investments.
Zero Trust made easy
Better adhere to the principles of least privilege access with less complexity. All access is centred on identity, making it easier to apply fine-grained policies that are enforced in practice.
Avoid getting bogged down with clunky, disparate admin systems that aren’t cloud-aware and break at scale. Everything in Okta is fully automated, adapting to the dynamic nature of your cloud infrastructure.
Set it and forget it
Once Okta Advanced Server Access is deployed across your infrastructure, your work is done – identities and policies automatically propagate across your server fleets, synchronised with your Identity Provider and IaaS configurations.
Manage access with PolicySync
Role-based access controls
Assign Okta groups to be authorised for collections of servers
Fully automate end-to-end lifecycle management of server users and groups
Apply command-level entitlements to groups for Linux
Attribute-based access controls
Further segment access to collections of servers by labels, i.e. “prod-compliance”
Integrate with downstream IaaS providers, like Amazon Web Services (AWS) and Google Cloud Platform (GCP), to import resource tags
Adapt to elastic, autoscaling infrastructure with native IaaS resource synchronisation
Time-based access controls
Restrict access to collections of servers for a predetermined time window assigned to specific users
Stitch together event-driven automation to tie authorisation to workflows, like ticket systems, chat apps, and more
Lean on automation to decommission limited access without having to track it yourself
What does this look like in practice?
Only members of the DevOps team can access the servers in the CI/CD cluster, and only members of the Data team can access the servers in the Database cluster. You can restrict privileged commands for the Data team, so they can only perform actions related to their job.
Additionally, you can apply group assignments to labels, which you can configure or import from AWS. For example, you may have several servers that handle payment processing and are subject to PCI-DSS guidelines. You can assign these servers fine-grained control, across all projects, based on a label name.
Okta PolicySync is available for any customers using Advanced Server Access.