Allow Access to Repository

Notice

Prerequisites

SSO and SCIM have been configured in Okta
Repository and repository users have been registered to ALTR
Sidecar has been deployed and registered to ALTR
The sidecar has been bound to the relevant repositories

Impersonation policies enable data consumers to access repositories using single sign-on (SSO), without needing to know the underlying database credentials. ALTR administrators can define impersonation policies at the SSO user or SSO group level and specify which repository user(s) can be accessed.

This approach enables secure access for databases that don’t support native SSO or SCIM, while eliminating the need to create, manage and rotate separate database credentials for each data consumer.

Benefits:

Simplified user management: Manage human users in Okta instead of the database.
Secure database accounts: Users can access databases without exposing underlying database credentials.
Flexible access controls: Define policies based on Okta users or groups—membership changes in Okta automatically apply in ALTR.
Reduced administrative overhead: Teams only manage a few database credentials while maintaining granular access control via ALTR.

Create Impersonation Policy

To create an impersonation policy:

Log into ALTR via Okta.
Click Policy in the Navigation menu.
Click Create Policy.
Locate the Impersonation Policy card.
Click Create Policy.
Enter a Display Name. This is a user-friendly name to identify the policy.
Select a Data Source. This is the repository name as it appears in Oracle.
Click Next.
Define the rule statement by selecting the following options:
1. a user or group and entering the Name. This is either an individual user or a group, such as Marketing team, as configured in Okta.
2. a Repository User that the IdP user/group will impersonate.
(Optional) Click IdP User/Group to add additional user/groups to the rule statement.
Click Save.

Edit Impersonation Policy

Delete Impersonation Policy

In this section: