Custom admin roles

Custom admin roles gives you the ability to configure granular permissions within a role. This feature offers:

  • More control over creation of roles in a self-service way. You can create custom role assignments based on your specific use case.

  • Increased org security. You can assign granular permissions to your admins and apps in a way that only gives them permissions that they need to perform a task. This reduces the need to assign the super admin and org admin roles to your users.

  • Simplified admin audits and compliance review with more visibility over granular admin permissions

An admin role assignment consists of these three components:

  1. Admin - the user, user group, or app that you need to grant admin permissions to.

  2. Role - A set of permissions that you constrain an admin to. There are two types of roles, standard and custom. You can create a maximum of 100 roles for an org. Currently, permissions are limited to managing user, group, and app activity, and running profile source imports.

  3. Resource set - A collection of resources. You can create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set. Currently, only user groups and apps in your org are considered as resources.

  • Resource sets are only available for custom admin roles.

  • You can only have 1,000 admins who have the same role and resource set combination constrained to them.

You have the flexibility to create or select any one of these components as a starting point for creating a custom admin role assignment. Before creating an admin role assignment, Okta recommend that you see Best practices for creating a custom role assignment.

For a video tutorial, see Demonstrating Delegated Administration with Okta Custom Admin Roles.

Impact on Standard roles

  • Your pre-existing roles (super admin, org admin, group admin, app admin, read-only admin, mobile admin, help desk admin, report admin, API access management admin, and group membership admin) are referred to as standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.


  • Group and user resources for Active Directory or LDAP groups don't include the group origin. If multiple groups have the same name, there's no way to distinguish them from one another in the UI.

  • Admins who are only assigned custom admin roles can’t manage a user with a super admin assignment.

  • You can only get the admin reports from the Admin role assignment reports page in the Admin Console. Currently, getting reports using an API isn't supported.