Administrators (or admins) are Okta users with permission to access the Okta administration dashboard. You can grant Admins access to all sections of the application, or limit their access to only certain apps.
Only Super Admins can view and manage other adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. types on the Security > Administrators page.
+ To complete the end-to-end scenario for setting up social authentication you must
• Be a Super Administrator
• Have both the AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Administrator and OrgThe Okta container that represents a real-world organization. Administrator roles
You can restrict the App Administrator role to OpenID Connect clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. apps.
App administrator role
Okta distinguishes between an application and the instances of that application. An app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control.
Super Admins can navigate to Security > Administrators to assign applications or specific instances of applications to App Admins. To distinguish between an application and its instances, Okta refers to the application as the "App" and the instances of that application are called "app instances". For example, Workday would be the App, and each instance of Workday would be referred to as an "app instance".
Note: If you assign a specific instance to an app admin and then later try to assign access to the overall App, an error message displays to warn you of the conflicting permissions. An app admin should not have restricted access to only one specific instance but also be assigned access to the entire app type.
The table below details the permissions granted to each role. Please note the following:
EA — Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. features require enablement from Okta Support.
* Permissions apply only to groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. that the Admin is allowed to manage.
** Can create new users in groups that Group Admin manages.
^ Permissions apply only to applications the App Admin is allowed to manage. You cannot specify individually created Template apps. Instead, you must choose the entire Template class; for example Template SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. Also, App Admins cannot edit VPN Notifications settings for VPN-required apps.
|View and run reports||Yes||Yes||No||No||Yes||Yes||No||No|
|View Okta settings (themes, logo, & contact info)||Yes||Yes||No||No||Yes||Yes||No||No|
|Manage Profile Editor||Yes||Yes||No||Yes||No||No||No||Yes (for OIDC clients)|
|Manage profile mappings||Yes||Yes||No||Yes||No||No||No||Yes (for OIDC clients)|
|Manage sensitive attributes||Yes||No||No||No||No||No||No||No|
|Edit Okta settings||Yes||Yes||No||No||No||No||No||No|
|Add, remove, and view administrators||Yes||No||No||No||No||No||No||No|
|Add, delete, and edit scopeA scope is an indication by the client that it wants to access some resource., claim, and policy on an authorization server||Yes||No||No||No||No||No||No||Yes|
|View authorization server scope, claim, and policy||Yes||Yes||No||No||Yes||No||No||Yes|
|View System Log (i.e. all system events)||Yes||Yes||No||Yes||Yes||Yes||No||Yes|
|Edit email and SMS template||Yes||Yes||No||No||No||No||No||No|
|Edit default email settings for other admins||Yes||No||No||No||No||No||No||No|
|View Device Trust enablement setting||Yes||Yes||No||No||Yes||No||No||No|
|Enable Device Trust setting||Yes||Yes||No||No||No||No||No||No|
|Close or retry tasks||Yes||No||No||No||No||No||No||No|
|Activate & deactivate users||Yes||Yes||Yes*||No||No||No||No||No|
|Password resets, MFA resets||Yes||Yes||Yes*||No||No||No||Yes*||No|
|Clear user session||Yes||Yes||Yes||No||No||No||Yes*||No|
|Choose not to receive email notifications about locked user accounts||Yes||Yes||Yes*||Yes||Yes||Yes||No||Yes|
|Add users to groups||Yes||Yes||Yes**||No||No||No||No||No|
|Add users to a group assigned admin privileges||Yes||No||No||No||No||No||No||No|
|Remove users from groups||Yes||Yes||Yes||No||No||No||No||No|
|Assign admin privileges to a group||Yes||No||No||No||No||No||No||No|
|View applications or application instances||Yes||No||No||Yes^||Yes||Yes||No||Yes (for OIDC clients)|
|Add and configure applications||Yes||No||No||Yes^||No||No||No||Yes (for OIDC clients)|
|Assign user access to applications||Yes||No||No||Yes^||No||No||No||Yes (for OIDC clients)|
|Create users in pending status via app import||Yes||No||No||Yes^||No||No||No||No|
|View and manage devices||Yes||Yes||No||No||No||Yes||No||No|
|Configure Okta mobile manager||Yes||Yes||No||No||No||Yes||No||No|
|View policies (Mobile)||Yes||Yes||No||No||Yes||Yes||No||No|
|Drag and Drop Policies for prioritization||Yes||Yes||No||No||No||Yes||No||No|
|OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information. - Wifi (EA)|
|View wifi policies||Yes||Yes||No||No||Yes||Yes||No||No|
|Drag and drop policies for prioritization||Yes||Yes||No||No||No||Yes||No||No|
|View Mobile tab on users section||Yes||Yes||No||No||Yes||Yes||No||No|
|View device details||Yes||Yes||No||No||Yes||Yes||No||No|
|Deprovision/clear PC/remote lock/reset||Yes||Yes||No||No||No||Yes||No||No|
|Deprovision/reset from Mobile tab||Yes||Yes||No||No||No||Yes||No||No|
|OMM - Applications|
|View Mobile tab on apps||Yes||No||No||Yes||Yes||Yes||No||No|
|Edit and save EAS settings||Yes||No||No||No||No||Yes||No||No|
|Edit native Mobile Access check boxes||Yes||No||No||No||No||Yes||No||No|
|View Okta Sign-On policies||Yes||Yes||No||No||Yes||Yes||No||No|
|Drag and drop policies for prioritization||Yes||Yes||No||No||No||Yes||No||No|
|Edit MFA factors||Yes||Yes||No||No||No||Yes||No||No|
|OpenID Connect End-to-End Scenario+|
|Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
|Add a social IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.||Yes||Yes||No||No||No||No||No||No|
|Read-only access to OAuth clients through the API||Yes||Yes||No||No||No||No||No||Yes|
|Enable MFA for the Admin Dashboard||Yes||No||No||No||No||No||No||No|
|Create User Tokens||Yes||Yes||Yes||No||Yes||No||No||No|
|View User Tokens||Yes||Yes||Yes||No||Yes||No||No||No|
|Clear User Tokens||Yes||Yes||No||No||No||No||No||No|
|View User Social Tokens||Yes||Yes||Yes||Yes||No||No||No||No|