Okta Naming

Okta Team Naming Standards for Resource Access Groups #

Okta Application vs Okta Resource Access Group Explainer #

  • An “application” provides access to an end user application directly. For example Workday, M365 Outlook, or Iowa Zoho Directory. These are human readable tiles displayed on login.iowa.gov

  • A “resource access group” in Okta provides access for a specified group of users to a specific collection of resources on a separate platform such as AWS or Azure where a set of permissions will be applied by said platform. This document focuses solely on resource access group naming in Okta.

Resource Access Group Naming Guidelines #

  1. All lowercase split with dashes except for the okta native indicator of zzOktaGrp and Okta team name for the SSO app on their side <AGENCY>_<PLATFORM>SSO_<product>
  2. To properly align with other platforms, the middle 5 required nodes provide a primary key to align and aid in search for the platform resources they are linked to. For example a GitHub repository that deploys code to a single account in AWS would both have the same <agency>-<platform>-<product>-<project/team>-<env>.
  3. The Okta team has their own method of providing the first two nodes. The same information is contained in the SSO name, just with different formatting. <AGENCY>_<PLATFORM>SSO_<product>-<project/team>-<env>
  4. <env> is required for the following reasons
    • Preserve the node count for consistency among cloud platforms.
    • Allow for future environment expansion. Even if one environment is expected, any additions would be prepared for.
    • <prod> is default if currently the only environment. <all> is acceptable when group has access to all envs.
  5. <agency> can be used in place of <project/team> if access is not restricted to a certain project or team.
  6. Abbreviate as needed. 50 character total is the goal.
  7. These naming standards assume forward looking naming only. Retroactiviy changing group names is not expected.

[] denotes optional node

Resource Access Group Template # 

zzOktaGrp-<AGENCY>_<PLATFORM>SSO_<product>-<project/team>-<env>-[<resource-id>-][<oconus>-][<data-classification>-]<platform-permission-set>

Examples:

  • zzOktaGrp-HHS_AWSSSO_hipaadl-infomgt-all-consumer-dataeng
  • zzOktaGrp-HHS_AWSSSO_elias-idp-test-59va-oconus-read
  • zzOktaGrp-DOM_AZCSSO_ccwis-cobalt-prod-iowamac-cjis-contrib
  • zzOktaGrp-IWD_GCPSSO_connect-mspan-uat-fti-developer
  • zzOktaGrp-DOT_AWSSSO_idss-ssg-qa-1tqo-hipaa-poweruser
  • zzOktaGrp-DIAL_AWSSSO_safher-digx-test-1tqo-cjis-admin

okta-native-indicator #

zzOktaGrp indicates an Okta native group.

AGENCY #

Abbreviated name of agency owning the project and platform. Examples: DOM, IWD, HHS, DIAL, DOT

PLATFORM #

Abbreviated 3 character brand name of cloud or platform. Examples: AZC Azure Cloud. AWS Amazon Web Services. GCP Google Cloud Platform. OCI Oracle Cloud. NCI Neutanix. OVM Oracle VM Infra. VMW VMware.

product #

General product that the permissions are to be used for. Examples: elias, avx, idss, connect, safher

project/team #

Development/implementation/infrastructure/auditing team such as a contracting group or internal team for further diviation. Examples: idss, cobalt, edbi. accen, amazon, forest, digx, mspan

env #

Environment for a given group. Not optional to both reserve the spot for consistency in cloud platforms and for future environment expansion. Examples: dev, test, uat, prod, stage, all

[resource-id] #

The exact name or id of the instance of a product/platform resource. Examples: iowadhs and iowamac are the Microsoft Azure Cloud Tenants for DHS/HHS and DOM/OCIO respectively. 59va is the root id of IDPH AWS. This helps provide the ability to pinpoint the platform instance for agencies that either share a platform with another agency, or an agency that has multiple instances of a platform.

[oconus] #

CONUS and OCONUS are terms primarily used by the U.S. military and government to differentiate locations within the United States from those outside. CONUS refers to the Continental United States, encompassing the 48 contiguous states and the District of Columbia. OCONUS, on the other hand, stands for Outside the Continental United States and includes locations like Alaska, Hawaii, U.S. territories, and foreign countries. Only ocunus is used.

[data-classification] #

fti, cjis, hipaa, etc if pertinent to the group. consumer and producer are for data projects.

platform-permission-set #

A matching set of roles/permissions within the platform being assigned by said group. If a custom permission set or RBAC role please match names in the platform and okta group. Examples: dataengineer, contributor, read, admin

A CSPM tool could help here. Wiz/Prisma would be examples of cloud security posture management tools. Idea is to provide guardrails to match up to permission set in the group name and apply frameworks such as HIPPA, PII, etc.

Federated vs Identity Center AWS access (WIP) #

Federated #

Awaiting further info from Giri

Identity Center AWS access #

Awaiting further info from Giri

Edit this page