This article provides detailed instructions on setting up granular access for servers with labels when using AD-joined flow.

• Okta Advanced Server Access
• Active Directory (AD)-Joined
• Server Agent

There are two methods of doing this, and instructions for both are listed below.

1. Using the server agent.
   • PolicySync: Attribute-Based Access Control.

2. Using AD join.
   1. Identify the attribute that needs to be added as a label. Attributes for a user can be seen by enabling Active Directory Users and Computers, selecting View > Advanced Features, and then selecting Attribute Editor for the machine. Here location attribute will be used as an example. 

1. 2. Log in to ASA UI. Specify the selected attribute under the server sync job with a label that needs to be used in ASA. Here, the location will be referred to as a label test in ASA:

1. 3. Once the job finishes, click on the server, and the label will be displayed as shown in the screenshot below:

1. 4. Now the label can be assigned to the group to give granular access to selected users only (that is, only the users who have the location attribute set as "US" in AD can access the servers). Note that the label needs to be prefixed with "ad.", exactly matching the label key on the server details page.

Related References

• PolicySync: Attribute-Based Access Control