> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Okta_Policy > A policy defining rules for authentication, password, or other features in Okta Applies to BloodHound Enterprise and CE ## Overview Policies in Okta define the rules and conditions that govern authentication, authorization, and security behaviors within an organization. They control aspects such as password requirements, MFA enrollment, session management, and application access. Policies are represented as Okta\_Policy nodes in BloodHound. ## Edges The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions. ### Inbound Edges | Edge Type | Source Node Types | Traversable | | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | ----------- | | [Okta\_Contains](/opengraph/extensions/okta/edges/okta_contains) | [Okta\_Organization](/opengraph/extensions/okta/nodes/okta_organization) | ✅ | | [Okta\_ResourceSetContains](/opengraph/extensions/okta/edges/okta_resourcesetcontains) | [Okta\_ResourceSet](/opengraph/extensions/okta/nodes/okta_resourceset) | ✅ | ### Outbound Edges | Edge Type | Destination Node Types | Traversable | | -------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ----------- | | [Okta\_PolicyMapping](/opengraph/extensions/okta/edges/okta_policymapping) | [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ❌ | ## Properties | Name | Source | Type | Description | | ------------- | --------------------------- | ---------- | ------------------------------------------------------------------------------------------- | | `id` | `policy.id` | `string` | Unique policy identifier. | | `name` | `policy.name` | `string` | Policy name. | | `displayName` | `policy.name` | `string` | Display-friendly policy name. | | `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the policy exists. | | `description` | `policy.description` | `string` | Policy description text. | | `type` | `policy.type` | `string` | Policy type identifier (for example `OKTA_SIGN_ON`, `ACCESS_POLICY`, `PROFILE_ENROLLMENT`). | | `priority` | `policy.priority` | `integer` | Policy evaluation order priority. | | `system` | `policy.system` | `bool` | Indicates whether the policy is system-managed. | | `created` | `policy.created` | `datetime` | Policy creation timestamp. | ## Sample Property Values ```yaml theme={null} id: rstw0o8il8ktUxo3t697 name: Okta Account Management Policy displayName: Okta Account Management Policy oktaDomain: contoso.okta.com description: This policy defines how users must authenticate for authenticator enrollment, password reset, or unlock account. Password policy rules control whether to enforce this policy for password reset and unlock account. type: ACCESS_POLICY priority: 1 system: false created: 2025-10-02T09:21:37+00:00 ``` ## Policy Types The following [policy types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) are supported by Okta: | Policy Type ID | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | OKTA\_SIGN\_ON | [Global session policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-okta-sign-on-policies.htm) | | PASSWORD | [Password policies](https://help.okta.com/en-us/content/topics/security/policies/about-password-policies.htm) | | MFA\_ENROLL | [Authenticator enrollment policies](https://help.okta.com/en-us/content/topics/security/policies/configure-mfa-policies.htm) | | IDP\_DISCOVERY | [Identity Provider routing rules](https://help.okta.com/en-us/content/topics/security/identity_provider_discovery.htm) | | ACCESS\_POLICY | [App sign-in policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-app-sign-on-policies.htm) | | DEVICE\_SIGNAL\_COLLECTION | [Device signal collection policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-device-signal-collection-ruleset.htm) | | PROFILE\_ENROLLMENT | [User profile policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-profile-enrollment-policy.htm) | | POST\_AUTH\_SESSION | [Identity Threat Protection policies](https://help.okta.com/oie/en-us/content/topics/itp/overview.htm) | | ENTITY\_RISK | [Entity risk policies](https://help.okta.com/oie/en-us/content/topics/itp/entity-risk-policy.htm) | The collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy.