Auditor (Read-Only) mode

Auditor (Read-Only) mode allows super admins to apply a read-only restriction to admin assignments.

Early Access release

Auditor (Read-Only) mode grants admins read-only access to role configurations. This provides auditors with clear system visibility while maintaining security transparency and reducing operational overhead.

Unlike standard admin roles (such as the read-only admin role), Auditor (Read-Only) mode acts as a modifier. You can apply this setting to any user or group with assigned standard or custom admin roles. See Create an admin role assignment using an admin.

How it works

When you enable Auditor (Read-Only) mode for an admin assignment, Okta applies the following behavior:

  • Restricts the admin to read-only access.
  • Blocks creation, configuration modifications, and deletion.

This restriction applies across the Admin Console and Okta API endpoints, excluding certain Okta first party apps. See Impact on Okta first-party apps.

Assignment methods

You can apply Auditor (Read-Only) mode two ways:

Direct assignment:
Apply the setting directly to an individual admin's assignment.
Group assignment:
Apply the setting to an Okta group. All members of the group inherit the read-only restriction for their respective admin roles.

See Create an admin role assignment using an admin.

Operational rules

Review these structural rules before you enable the setting:

Prerequisite
This setting only takes effect after you assign at least one standard or custom admin role to the target user or group. If the user or group has no active admin roles, the setting remains inactive.
Scope
The setting applies to all resources and permissions defined that are in the admin's role. You can't apply it selectively to specific resources or permissions.

Impact on Okta first-party apps

Okta first-party apps are platform apps that are created by Okta, such as Access Requests or Okta Workflows. Most Okta apps don't support read-only auditor behavior.

Because individual first-party apps use separate app architectures and don't all support read-only behavior, Auditor (Read-Only) mode alters the standard app assignment lifecycle to prevent security gaps:

Automatic unassignment
When you enable Auditor (Read-Only) mode, Okta automatically unassigns all Okta first-party apps (except for the Admin Console) from the admin.
Manual re-assignment
A super admin can manually re-assign Okta first-party apps to the admin if an audit requires visibility.
Automatic restoration
When you disable Auditor (Read-Only) mode, Okta automatically re-assigns all applicable first-party apps based on the admin's underlying privileges. This action overrides any manual unassignments made before the state change.

Key UI indicators

When Auditor (Read-Only) mode is active, the system displays the following visual cues to prevent operational confusion:

Session banner
A persistent banner appears at the top of the Admin Console when an auditor signs in, explicitly stating they are in read-only mode.
Status labels
An auditor label appears on the Admin Roles tab on user profiles and on the Security > Administrators > Admins page.

Best practices and security recommendations

  • Ensure that you enable Auditor (Read-Only) mode from only one source, either directly on an individual or on an Okta group.
  • Avoid modifying underlying admin roles through group assignments after you enable Auditor (Read-Only) mode for a user or group.