Help desk administrators

Help desk administrators have a fixed set of common help desk actions. Assigning a help desk admin is a strategic security measure because it prevents you from granting unnecessary permissions to help desk personnel.

Help desk admins are useful in the following scenarios:

You have a single help desk that does not need excessive permissions to perform the role.
You have a Tier 1 IT that handles high volume account transactions such as password resets.
Your organization has branches, brands, or franchises that have separate IT teams.
You have business units that need to perform actions on just their own users.
You have outsourced service vendors that need to perform actions on just their own users.

Help desk admins have these fixed permissions:

Reset password
Create a temporary password for users in a Pending status using "set password and activate" button
Reset Multifactor Authentication
Unlock account
Clear user session
View user profiles in the groups to which the admin has been assigned

A help desk admin can perform these actions on all users or on select groups of users. For more granular administrative control, you can assign the help desk admin to a select group of users and prevent them from even viewing users outside of their group.

Help desk admins can't performing the following actions:

Create and activate users
Suspend and delete users
Assign users to apps or groups
Initiate Okta directory specific actions
View or modify users outside the assigned group(s)
Create API tokens

Note:

For a complete view of all of the permissions that are granted and excluded from this role, see Standard administrator roles and permissions.

Note:

Note

While help desk admins can't create API tokens, you can create an API token for this role's privileges for any given help desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. See Getting started with the Okta API.