This article provides information on the latest feature released for Okta Privileged Access – Checkout. This feature allows setting exclusive checkout on shared accounts and manage the checkout/checkin of those accounts.
Pre-Reqs
The feature is there in Okta Privileged Access preview and production teams. You do not need to “turn on” any features.
As always you should keep your infrastructure components up to the latest release. In this case the client (“sft”) should be at 1.81.1 or higher (the 5 Jun Release Notes highlighted this – https://help.okta.com/oie/en-us/content/topics/releasenotes/privileged-access/privileged-access-release-notes.htm).
Enable Checkout for Servers in a Project
Checkout is enabled at the Project level. This means it can apply to some or all shared accounts to all servers in a Project. Note that it does not apply to individual accounts as they cannot be shared so there’s no need for exclusivity.
The product documentation describes how to enable the feature. https://help.okta.com/oie/en-us/content/topics/privileged-access/pam-configure-checkout.htm
When accessing a Project within a Resource Group, there is a new section on the Settings tab titled Checkout Settings.
When you edit the settings, the section expands to show the options. When you enable it, you have two sets of options:
- The scope – whether to apply checkout to all shared accounts, an include list or an exclude list
- The checkout time – how long a shared account is checked out before automatic check in and password rotation
There is also a new tab in the Project called Checked Out Accounts, that will provide an admin view of checked-out accounts.
There is also the option to set checkout time overrides in specific Policy Rules.
New that we have the feature enabled, let’s look at how it’s used from an end-user perspective.
Checkout from the Command Line
If checkout is enabled for accounts that a user can use (access methods) there wil be an indication on the command line when they connect.
If someone else tries to use that account, they will get an indication that it is already checked out.
The experience is slightly different if using the OPA web UI.
Checkout from the Web UI
When a user goes to their server list in the web UI, the first thing they will notice is that the Connect button has gone from the server list page.
However if they click on the server they want to access they see more options. On the Accounts tab, they can see the status and any conditions on use of the account. There is also a View details button.
Clicking this button produces a slide-out window that shows infomraiton about the accounts, such as the status (and checkout button if the account isn’t already checked out), the max checkout time and if it is checked out, how long it has remaining.
Back on the Accounts tab there is also a more options (three vertical dots) icon with a single option – Check in. If the account is not checked out, this option is disabled. If the account is checked out, the option is enabled.
Users can use this button to check the account in. This will not rotate the password or close any active session, but it will mean that others can check out the account.
Finally there is the traditional Connect button to start a SSH/RDP session.
Forcing a Check In
Administrators can also view and manage checked out accounts. This is done on the Project Checked Out Accounts tab we showed earlier. If an account is Checked Out, you will see this in the Status column. There are two ways to force a check in, the first being to use the Force a checkin option under Actions.
This will present a confirmation dialog.
The second way is to click on the account name to see the details of the account. This is the same account view that has been in the product for some time, but has had additional information added to show checkout status and a new Force check-in button.
Clicking the button produces the same confirmation dialog. Then the Status of the checkout changes to Checkin in progress.
And on the Checked out accounts list.
Conclusion
And that’s it, you can now apply exclusive checkout to shared accounts in Okta Privileged Access. You can apply checkout to specific shared accounts within Projects with checkout duration and also apply overrides to specific servers/accounts within Policy Rules.
Users can see if an account is enabled for checkout when they go to use it and whether it’s already been checked out. They can manually check it in, as can administrators. Or they can wait until the checkin duration expires and the password is rotated.
This feature enhances both the usability and auditability of shared accounts for those times when you can’t just use JIT provisioned individual accounts and permissions.