Sym and Okta combine to improve your security posture by reducing default access and requiring approval for escalations into privileged groups.


With Sym and Okta you can get the benefits of flexible just-in-time group assignments and escalations with a great GRC platform.

Okta workflow with SymOkta workflow with Sym

Okta workflow with Sym


Setting up your API User and Token

We recommend you create a dedicated Okta user with administrative access to the Groups that your integrations will manage.

To do this, use the Okta Admin Console to create a new user, and then give the user the following administrative permissions:

  • Group Membership Administrator
  • Read Only Administrator
  • Can administer specific groups only

Underneath the last bullet, select any Groups for which you'd like to provide escalated access via Sym.

Once the user is created, you will need to sign in as this user to create an API token for them. Store this API token in your corporate secrets storage mechanism so we can use it during Sym onboarding.

Permissions required for the Okta Bot User.Permissions required for the Okta Bot User.

Permissions required for the Okta Bot User.

Creating the API Token

  1. Login to your Okta admin dashboard
  2. Go to Security > API
  1. Create a token and make note of it, you'll need it later!
Save the token value somewhere, you'll need it soon!Save the token value somewhere, you'll need it soon!

Save the token value somewhere, you'll need it soon!

Sharing your API Token with Sym

You'll store your API Token in a value in AWS Secrets Manager in the same account where you provisioned your Runtime Connector. Contact us if you'd like to use an alternative secrets store.

Runtime Connectors support optional permissions using the addon input. Ensure that your Runtime Connector is provisioned with the aws/secretsmgr addon enabled.

For more information about the Secrets Manager Addon, see our docs here.

resource "aws_secretsmanager_secret" "okta" {
  name        = "/symops.com/connector/okta_api_token"
  description = "Okta API token for Sym"

  tags = {
    "SymEnv" = var.environment

That's it - now you can use your Okta accounts in your Sym workflows!

Example implementation

To add Okta to your Flow, define the following items in Terraform:

data "sym_integration" "okta" {
  type = "okta"
  name = "okta-prod"

# The AWS Access Workflow, which uses an Okta strategy to escalate users
resource "sym_flow" "this" {
  name  = "okta_access"
  label = "Okta Access"

  params = {
    strategy_id = sym_strategy.this.id

# A Strategy uses an Integration to grant people access to Targets
resource "sym_strategy" "this" {
  type           = "okta"
  name           = "okta-strategy-prod"
  integration_id = data.sym_integration.okta.id
  targets        = [sym_target.prod,]

# A Target something Sym is managing access to
resource "sym_target" "prod" {
  type  = "okta_group"
  label = "Production"
  settings = {
    group_id = "agg1945128456431"

Did this page help you?