Administrators

Administrators (or admins) are Okta users with permission to access the Okta administration dashboard. You can grant Admins access to all sections of the application, or limit their access to only certain apps.

Only Super Admins can view and manage other admin types on the Security > Administrators page.

+ To complete the end-to-end scenario for setting up social authentication you must

• Be a Super Administrator

• Have both the App Administrator and Org Administrator roles

You can restrict the App Administrator role to OpenID Connect client apps.


App administrator role

Okta distinguishes between an application and the instances of that application. An app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control.

When you integrate directories with Okta, they are considered apps and app admins have administrator privileges. App admins can edit directory settings.

Super Admins can navigate to Security > Administrators to assign applications or specific instances of applications to App Admins. To distinguish between an application and its instances, Okta refers to the application as the "App" and the instances of that application are called "app instances". For example, Workday would be the App, and each instance of Workday would be referred to as an "app instance".

Note: A single app admin role assignment can't grant access to the entire app type and also restrict access to a specific instance.  If you assign a specific instance to an app admin and then later try to assign access to the overall app, an error message warns you of the conflicting permissions. However, this combination of access may result if the app admin has one individual assignment and a different group membership assignment.


The table below details the permissions granted to each role. Please note the following:

EA — Early Access features require enablement from Okta Support.

* — Permissions apply only to groups that the Admin is allowed to manage.

** — Permissions to create, add, and remove users apply only to groups that the Group Admin manages. Group Admins can create new users in groups that they manage, remove users from groups that they manage, and add users from one group to another (if they manage both groups).

^ — Permissions apply only to applications the App Admin is allowed to manage. App Admins cannot edit VPN Notifications settings for VPN-required apps.

Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Org-wide Settings
View and run reports Yes Yes No No Yes Yes No Yes No No
View Okta settings (themes, logo, & contact info) Yes Yes No No Yes Yes No No No No
Grant access to Okta Support Yes No No No No No No No No No
Manage Profile Editor Yes Yes No Yes No No No No Yes (for OIDC clients) No
Manage profile mappings Yes No No Yes No No No No Yes (for OIDC clients) No
Manage sensitive attributes Yes No No No No No No No No No
Edit Okta settings Yes Yes No No No No No No No No
Add, remove, and view administrators Yes No No No No No No No No No
Add, delete, and edit scope, claim, and policy on an authorization server Yes No No No No No No No Yes No
View authorization server scope, claim, and policy Yes Yes No No Yes No No No Yes No
View System Log (i.e. all system events) Yes Yes No Yes Yes Yes No Yes Yes No
Edit email and SMS template Yes Yes No No No No No No No No
Edit default email settings for other admins Yes No No No No No No No No No
View Device Trust enablement setting Yes Yes No No Yes No No No No No
Enable Device Trust setting Yes Yes No No No No No No No No
Close or retry tasks Yes No No No No No No No No No
Send custom notifications to users Yes Yes No No No No No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

User Management
View users Yes Yes Yes* Yes Yes Yes Yes* No Yes Yes
Activate & deactivate users Yes Yes Yes* No No No No No No No
Edit profiles Yes Yes Yes* No No No No No No No
Password resets, MFA resets Yes Yes Yes* No No No No No No No
Create users Yes Yes Yes* No No No No No No No
Delete users Yes Yes Yes* No No No No No No No
Clear user session Yes Yes Yes No No No Yes* No No No
Choose not to receive email notifications about locked user accounts Yes Yes Yes* Yes Yes Yes No No Yes No
Enable Self Service Registration Yes No No No No No No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Groups
View groups Yes Yes Yes* Yes Yes Yes Yes* No Yes Yes
Add users to groups Yes Yes Yes** No No No No No No Yes
Add users to a group assigned admin privileges Yes No No No No No No No No No
Remove users from groups Yes Yes Yes** No No No No No No Yes
Create groups Yes Yes No No No No No No No No
Assign admin privileges to a group Yes No No No No No No No No No
Delete groups Yes Yes No No No No No No No No
Edit MFA factors Yes Yes No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Applications
View applications or application instances Yes No No Yes^ Yes Yes No No Yes (for OIDC clients) No
Add and configure applications Yes No No Yes^ No No No No Yes (for OIDC clients) No
Assign user access to applications Yes No No Yes^ No No No No Yes (for OIDC clients) No
Create users in pending status via app import Yes No No Yes^ No No No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Mobile Policies
View and manage devices Yes Yes No No No Yes No No No No
Configure Okta mobile manager Yes Yes No No No Yes No No No No
View policies (Mobile) Yes Yes No No Yes Yes No No No No
Setting APNS Yes Yes No No No Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/Update/Delete Rules Yes Yes No No No Yes No No No No
Drag and Drop Policies for prioritization Yes Yes No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

OMM - Wifi (EA)
View wifi policies Yes Yes No No Yes Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/update/delete rules Yes Yes No No No Yes No No No No
Drag and drop policies for prioritization Yes Yes No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Mobile Devices
View Mobile tab on users section Yes Yes No No Yes Yes No No No No
View device details Yes Yes No No Yes Yes No No No No
Deprovision/clear PC/remote lock/reset Yes Yes No No No Yes No No No No
Deprovision/reset from Mobile tab Yes Yes No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Event and Inline Hooks
View hooks Yes No No No No No No No No No
Create and configure hooks Yes No No No No No No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

OMM - Applications
View Mobile tab on apps Yes No No Yes Yes Yes No No No No
Edit and save EAS settings Yes No No No No Yes No No No No
Edit native Mobile Access check boxes Yes No No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

Okta Sign-On
View Okta Sign-On policies Yes Yes No No Yes Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/update/delete rules Yes Yes No No No Yes No No No No
Drag and drop policies for prioritization Yes Yes No No No Yes No No No No
Edit MFA factors Yes Yes No No No Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

OpenID Connect End-to-End Scenario+
Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Yes No No Yes No No No No Yes No
Add a social IDP Yes Yes No No No No No No No No
Read-only access to OAuth clients through the API Yes Yes No No No No No No Yes No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

MFA
Enable MFA for the Admin Dashboard Yes No No No No No No No No No
Authorize RADIUS Agent Yes No No Yes Yes Yes No No No No
Permission
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin

Report Admin

Group Membership Admin

API Tokens
Create User Tokens Yes Yes Yes No Yes No No No No Yes
View User Tokens Yes Yes

Yes

Self and scoped members only

No

Yes

Yes No No No

Yes

Self only

Clear User Tokens Yes

Yes

Self only

Yes

Self only

No

Yes

Self only

No No No No

Yes

Self only

View User Social Tokens Yes

Yes

Yes Yes No No No No No No
Manage Tokens Yes Yes No No Yes No No No No No

See also