Configure the Help Desk Administrator Role
The Help Desk Administrator can perform common help desk actions. This role has a reduced set of permissions and promotes good security practices by not granting unnecessary permissions to help desk personnel.
You cannot selectively assign permissions to the Help Desk Administrator role. Instead, it has these fixed permissions:
- Reset password
- Create a temporary password for users in a Pending status using "set password and activate" button
- Reset Multifactor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect.
- Unlock account
- Clear user session
- View user profiles in the groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. to which the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. has been assigned
The Help Desk Administrator role does not have the following permissions:
- Create and activate users
- Suspend and delete users
- Assign users to apps or groups
- Initiate Okta directory specific actions
- View or modify users outside the assigned group(s)
- Create API tokens
The Help Desk Administrator can perform these actions on all users or on select groups of users. This provides granular administrative control. The Help Desk Administrator cannot view or modify users outside of the selected group. Delegated administration allows you to spread administrative duties and, more importantly, segregate duties so that no administrator has too much control.
Note: While the Help Desk Administrator can't create API tokens, you can create an API token for this role's privileges for any given Help Desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. For information about Okta APIs, see Getting started with the Okta API.
The Help Desk Administrator role may be useful in these scenarios:
- You have a single Help Desk that does not need excessive permissions to perform the role.
- You have a Tier 1 IT that handles high volume account transactions such as password resets.
- Your organization has branches, brands, or franchises that have separate IT teams.
- You have business units that need to perform actions on just their own users.
- You have outsourced service vendors that need to perform actions on just their own users.
Only Super admins may assign the Help Desk admin role to a user and optionally apply a group scopeA scope is an indication by the client that it wants to access some resource..
To assign the Help Desk Administrator role to a user, do the following:
In Admin Console, go to Security > Administrators.
Click Add Administrator. In the resulting dialog box, do the following:
- Type an administrator name into the Grant Administrator Role to field.
- Select the Help Desk Administrator role.
- Select Can administer user in specific groups (recommended).
- Type in the group name of the Okta groups the admin will control. Note that only Okta groups appear.
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .
An Early Access feature is available which allows you to select Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. groups in addition to Okta groups. This allows you to assign specific AD or LDAP groups for the Help Desk admin to handle.
If you want your Help Desk Administrator to perform operations on users that delegate authentication to AD, you’ll also have to configure the AD policy:
In Admin Console, go to Security > Policies.
Select Active Directory Policy.
- Edit the Legacy Rule to indicate that the user can change passwords.
- Click Update Rule.
- Log into Okta with an account that’s been designated a Help Desk Administrator.
- Go to Directory > People.
- Select a user account
- To reset a user’s password, click Reset Password.
- To perform any of the other options, click More Actions.
Help Desk admins can't activate a suspended or deactivated account. But, once that user becomes active and is in a Pending user action state, the Help Desk admin can create a temporary password for the end user. However, because the Help Desk admin can't send the activation email to the end user, they must provide the temporary password to the end user directly.
Groups have not fundamentally changed within Okta, but they are more useful and powerful when used with the Help Desk Administrator role. Getting the most out of delegated administration requires careful selection of Okta groups. The groups you choose should reflect your organization's structure or boundaries of control.
For example, an organization shares Okta-protected resources with two business units, A and B, each with their own users and separate IT teams who manage those users. It is important for the organization to maintain strict boundaries of control within Okta. A's IT team should only be able to view and manage A's users in Okta. Similarly, B's IT team should only be able to view and manage B's users in Okta. The organization can accomplish this by:
- Giving A and B separate Help Desk Administrators roles in Okta
- Scoping A's Help Desk Administrator role to Group A, which consists only of A's users
- Scoping B's Help Desk Administrator role to Group B, which consists only of B's users