OneLogin Access Strategy

Sym and OneLogin combine to improve your security posture by reducing default access and requiring approval for escalations into privileged roles.

πŸ“˜

Did you configure your OneLogin Integration?

Before continuing, make sure you followed the instructions on the main OneLogin page to set up your OneLogin API Credential Pair and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your OneLogin API Credential Pair with Sym
  • Defined a OneLogin Integration resource

Add OneLogin Access Targets

Define sym_target resources with type = "onelogin" for all of the OneLogin Roles that you wish to manage access to.

  • role_id: This must be set to the ID of the OneLogin Role being managed. The Role IDs can be found in the URL when viewing the Role details (Admin Console > Users > Roles > Select your Role).

πŸ“˜

Supporting "member" and "admin" access in one Access Target

Note that this example makes use of Dynamic Target Settings to allow the requester to select whether they want "member" or "admin" privileges in the requested role. If you only want to allow requests for one of those privilege levels, instead of field_bindings, set privilege_level = "member" or privilege_level = "admin" in sym_target.settings.

resource "sym_target" "onelogin_role_a" {
  type = "onelogin_role"

  name  = "onelogin-role-a"
  label = "OneLogin Role A"

  settings = {
    role_id = "1234567"  # Replace this with your OneLogin Role's ID
  }

  # A special attribute indicating which settings will be dynamically populated by prompt fields.
  # In this case, the setting is the required `privilege_level` setting. The value will be populated by a
  # `privilege_level` Prompt Field in the `sym_flow.params` attribute.
  field_bindings = ["privilege_level"]
}
  
resource "sym_target" "onelogin_role_b" {
  type = "onelogin_role"

  name  = "onelogin-role-b"
  label = "OneLogin Role B"

  settings = {
    role_id = "987654"  # Replace this with your OneLogin Role's ID
  }

  field_bindings = ["privilege_level"]
}

Add a OneLogin Access Strategy

Define a sym_strategy resource with type = "onelogin" and include the OneLogin Integration and OneLogin Access Targets you defined above.

resource "sym_strategy" "onelogin" {
  type           = "onelogin"
  name           = "main-onelogin-strategy"
  integration_id = sym_integration.onelogin.id

  # This must be a list of `onelogin_role` sym_targets that users can request to be escalated to
  targets = [sym_target.onelogin_test_role.id]
}

Add the OneLogin Access Strategy to your Flow

In your sym_flow resource, reference your OneLogin sym_strategy as the strategy_id in your Flow Parameters.

resource "sym_flow" "this" {
  name  = "onelogin"
  label = "OneLogin Role Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.onelogin.id

    # This privilege_level prompt_field is required and matches the field_bindings from
    # the sym_targets defined above.
    prompt_field {
      name           = "privilege_level"
      type           = "string"
      required       = true
      allowed_values = ["member", "admin"]
    }
  
    # ... other Flow params not shown
  }
}

Full Example

You can find the complete code for this example in our OneLogin Access Strategy Example.