Groups

Okta Privileged Access uses groups to explicitly assign users with associated permissions, giving them access to required resources or access control privileges. You can create groups locally and add users to it. You can also sync your users and groups from the Universal Directory, which provides easier management of people, membership, and roles.

Default groups

The following two groups are automatically created for each team:

Everyone includes every user that belongs to the Okta Privileged Access team.
Owners initially include only the user who created the Okta Privileged Access team. You can't delete this group.
Owners group grants the Okta Privileged Access administrator role. Only users with the PAM administrator role can create groups and add users to the groups.

Note:

The owners group can't be assigned other roles beyond the PAM administrator role, nor can the PAM administrator role be removed from this group. Okta recommends that you assign the PAM administrator role to another group that is provisioned to Okta Privileged Access through Okta SCIM. The owners group should have as few users as possible assigned to it.

After you complete the basic setup, Okta recommends that you do the following:

Create a group in Okta to manage users who will be assigned the PAM administrator role.
Assign any users currently in the owners group in Okta Privileged Access to this new Okta group.
Push the new Okta group to Okta Privileged Access.
Assign the new Okta group the PAM administrator role.

This ensures that if any users in the owners group are deactivated or deleted from Okta, other users in your org retain the PAM administrator role.

Prerequisites

You must be a PAM admin for your team to perform the following tasks.

Create a local group

Note:

Okta recommends that you minimize the use of local groups and instead manage group memberships through Okta Admin Console. This ensures that group membership is accurately reflected based on lifecycle events on users or groups in Okta.

Open the Okta Privileged Access dashboard.
Go to Directory > Groups.
Click Create Group.
On the Create Group window, enter a group name.
Optional. Select any team roles to assign to the group. See Roles and permissions.
Click Create Group.

Add a user to a local group

Adding a user to a group grants them access to all servers in projects where the group is added. Only service users that are created locally in Okta Privileged Access need to be added to local groups.

Open the Okta Privileged Access dashboard.
Go to Directory > Groups, and then select a group.
Go to the Users tab.
In the Username field, enter the name of an existing user.
Click Add User.