Standard administrator roles and permissions

Use these tables to compare standard admin permissions for Okta features, settings, and tasks.

Org-wide settings

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and run reports
View Okta settings (themes, logo, contact info)
Grant access to Okta Support
Manage Profile Editor ●*
Manage profile mappings ●*
Manage sensitive attributes
Edit Okta settings
Add, remove, and view administrators
Add, delete, and edit authorization server scope, claim, and policies
View authorization server scope, claim, and policy
View System Log (system events)
Edit email and SMS template
Edit default email settings for other admins
View Device Trust enablement setting
Enable Device Trust setting
Close or retry tasks
Send custom notifications to users
Apply multibrand customization

Manage (enable, disable, update) CAPTCHA enablement settings
View CAPTCHA enablement settings
Manage log streaming

* — Permissions apply only to OIDC apps.

User management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View users ●* ●*
Create users ●*
Delete users ●*
Suspend users ●° ●*°
Deactivate users ●*
Activate users ●° ●*°
Change user types ●*
Sign out users ●*
Clear user sessions ●° ●*° ●*°
View logs ●° ●* ●° ●°
Edit profiles ●* ●^
Password resets, MFA resets ●* ●*
Choose not to receive email notifications about locked user accounts ●*
Reset user behavior profile ●* ●*
View user behavior profile

View user types

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions apply only on user import for apps that don't have profile source configured.

° — Admin can perform the action on super admins.

Group management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View groups ●* ●*
Add users to groups ●^ ●*
Add users to a group with assigned admin privileges
Remove users from groups ●^ ●*
Create groups
View group rules

●°

Add/edit/delete group rules

Assign admin privileges to a group
Delete groups

Edit group MFA factors

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions to create, add, and remove users apply only to groups that the group admin manages. Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.

° — Permissions apply only if the admin has access to all users and groups.

  • Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no longer be able to make any changes over the group or group members.

  • For orgs with group profile feature enabled, group membership admins can't modify group name and description.

Application management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View applications or application instances ●^ ●*
Add and configure applications ●^ ●*
Assign user access to applications ●^ ●*
Create users in staged status through app import ●^

* — Permissions apply only to OIDC apps.

^ — Permissions apply only to applications the App Admin is allowed to manage.

Mobile policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and manage devices
Configure Okta mobile manager
View policies (Mobile)
Setting APNS
Add/update/delete policies
Add/update/delete rules
Drag and drop policies for prioritization

Mobile devices

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin
View Mobile tab on users section
View device details
Deprovision/clear PC/remote lock/reset
Deprovision/reset from Mobile tab

Hooks

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View hooks
Create and configure hooks

Policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Okta Sign-On policies
Add/update/delete policies ●*
Add/update/delete rules ●*
Drag and drop policies for prioritization
Edit MFA factors in policies

* — Permissions apply only to app sign-on policies.

Org security

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View network zones
Manage network zones
View org behavior profile
Manage org behavior profile
View ThreatInsight configuration
Manage ThreatInsight configuration

Multifactor Authentication

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Configure MFA factors
Enable MFA for the Admin Dashboard
Authorize RADIUS Agent

API tokens

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create user tokens ●* ●* ●* ●* ●*
View user tokens ●^ ●* ●*
Clear user tokens ●* ●* ●* ●^ ●*
View user social tokens
Manage tokens ●* ●*

* — Permissions apply only to self.

^ — Permissions apply only to self and scoped members.

OpenID Connect end-to-end scenario

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Add a social IDP
Read-only access to OAuth clients through the API

OMM applications

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Mobile tab on apps
Edit and save EAS settings
Edit native Mobile Access checkboxes

OMM - Wifi (EA)

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View wifi policies
Add/update/delete policies
Add/update/delete rules
Drag and drop policies for prioritization

Identity Governance

Okta Identity Governance is generally available to customers on a subscription basis. For more information, contact your Account Executive or Customer Success Manager.

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin
View all campaigns
Create campaigns
Edit/launch scheduled campaigns
End active campaigns
Manage user access applications within Access Requests
Act as an administrator within Access Requests

Realms

Okta Identity Governance is required for realms. See Okta Identity Governance for more information.

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create realms
View realms designation

Update realms
Delete realms
Update user realms designation (move user from one realm to another)

Mover users individually
Bulk move users between realms

Create realms assignment
Setting up a workflow with realms