Help desk admin role

The help desk administrator can perform common help desk actions. This role has a reduced set of permissions and promotes good security practices by not granting unnecessary permissions to help desk personnel.

You cannot selectively assign permissions to the help desk administrator role. Instead, it has these fixed permissions:

  • Reset password
  • Create a temporary password for users in a Pending status using "set password and activate" button
  • Reset Multifactor Authentication
  • Unlock account
  • Clear user session
  • View user profiles in the groups to which the admin has been assigned

The help desk administrator role does not have the following permissions:

  • Create and activate users
  • Suspend and delete users
  • Assign users to apps or groups
  • Initiate Okta directory specific actions
  • View or modify users outside the assigned group(s)
  • Create API tokens

The help desk administrator can perform these actions on all users or on select groups of users. This provides granular administrative control. The help desk administrator cannot view or modify users outside of the selected group. Delegated administration allows you to spread administrative duties and, more importantly, segregate duties so that no administrator has too much control.

Note: While the help desk administrator can't create API tokens, you can create an API token for this role's privileges for any given help desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. For information about Okta APIs, see Getting started with the Okta API.