[Makes] Okta as code
Problem to solve
We currently do not have an easy way to maintain permissions for users on Okta due to:
- Segmented permissions: Okta does not provide a comfortable way for knowing to what apps every user has access and whether that access is granted individually or via group.
- Permissions not as code: We do not have the advantages (reproducibility, versioning, traceability) of having permissions written as code.
- Poor group design: We never took the time to define a clear set of groups in which all users within the organization would fit. Groups do not have assigned apps either.
Aditionally, managing app passwords (and thus rotation) is a mess, mainly due to 2.
Intended users
All Okta users
User experience goal
- The entire Okta platform should be migrated to Terraform and administrators should only change it from there.
- The process of reviewing all access permissions should be as straightforward as possible.
- A low number of groups should be maintained.
- Individual access should be provided only under special circumstances, most accesses must be group-inherited.
- Administrators should be able to easily assign apps to new employees by just adding them to the groups they should be part of.
- Administrators should be able to know when was the last time an application's password was rotated by looking at the source code.
Permissions and Security
- We need to design the users-groups-apps triad.
Proposal
- Let's create an Okta Terraform module within makes.
- The design should ideally be group-focused. For example:
resource "group1" {
apps = [
app1,
app2,
app3,
]
users = [
user1,
user2,
user3,
]
}
What does success look like, and how can we measure that?
-
Migrate what we have -
Design and implement groups -
Design and implement group-apps -
Design and implement group-users -
Remove old implementation
Links / references
Edited by Daniel Salazar