OneLogin Access Strategy
Sym and OneLogin combine to improve your security posture by reducing default access and requiring approval for escalations into privileged roles.
Did you configure your OneLogin Integration?
Before continuing, make sure you followed the instructions on the main OneLogin page to set up your OneLogin API Credential Pair and Integration.
Before continuing, you will need to have:
- Connected Sym with AWS Secrets Manager
- Configured your OneLogin API Credential Pair with Sym
- Defined a OneLogin Integration resource
Add OneLogin Access Targets
Define sym_target
resources with type = "onelogin"
for all of the OneLogin Roles that you wish to manage access to.
role_id
: This must be set to the ID of the OneLogin Role being managed. The Role IDs can be found in the URL when viewing the Role details (Admin Console > Users > Roles > Select your Role).
Supporting "member" and "admin" access in one Access Target
Note that this example makes use of Dynamic Target Settings to allow the requester to select whether they want "member" or "admin" privileges in the requested role. If you only want to allow requests for one of those privilege levels, instead of
field_bindings
, setprivilege_level = "member"
orprivilege_level = "admin"
insym_target.settings
.
resource "sym_target" "onelogin_role_a" {
type = "onelogin_role"
name = "onelogin-role-a"
label = "OneLogin Role A"
settings = {
role_id = "1234567" # Replace this with your OneLogin Role's ID
}
# A special attribute indicating which settings will be dynamically populated by Prompt Fields.
# In this case, the setting is the required `privilege_level` setting. The value will be populated by a
# `privilege_level` Prompt Field in the `sym_flow.params` attribute.
field_bindings = ["privilege_level"]
}
resource "sym_target" "onelogin_role_b" {
type = "onelogin_role"
name = "onelogin-role-b"
label = "OneLogin Role B"
settings = {
role_id = "987654" # Replace this with your OneLogin Role's ID
}
field_bindings = ["privilege_level"]
}
Add a OneLogin Access Strategy
Define a sym_strategy
resource with type = "onelogin"
and include the OneLogin Integration and OneLogin Access Targets you defined above.
resource "sym_strategy" "onelogin" {
type = "onelogin"
name = "main-onelogin-strategy"
integration_id = sym_integration.onelogin.id
# This must be a list of `onelogin_role` sym_targets that users can request to be escalated to
targets = [sym_target.onelogin_test_role.id]
}
Add the OneLogin Access Strategy to your Flow
In your sym_flow
resource, reference your OneLogin sym_strategy
as the strategy_id
in your Flow Parameters.
resource "sym_flow" "this" {
name = "onelogin"
label = "OneLogin Role Access"
# ... other Flow attributes not shown
params {
strategy_id = sym_strategy.onelogin.id
# This privilege_level prompt_field is required and matches the field_bindings from
# the sym_targets defined above.
prompt_field {
name = "privilege_level"
type = "string"
required = true
allowed_values = ["member", "admin"]
}
# ... other Flow params not shown
}
}
Full Example
You can find the complete code for this example in our OneLogin Access Strategy Example.
Updated 6 months ago