The Super admin role
The Super adminThe super admin receives full access to every item in the Administrative Console and is the only role that can assign administrator roles to other user accounts. Accounts with other administrator role assignments have reduced functionalities to different permission sets. Contact Okta support to create an Okta Mastered account with Super Admin rights. role has the highest permissions of all the admins. This role can create other admins, assign or remove permissions, and perform all other adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. activities.
The Super admin permission is required for:
- creating other admins
- installing and configuring agents such as the AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.
- assigning roles to Okta groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.
- downloading a CSV file containing all admin data (username, permissions, last sign-in, etc) for auditing purposes
- granting access to Okta Support
- enabling Self Service Registration
- adding users to admin groups
For more information about admin roles and privileges, see Administrators.
Admin roles allow you to control the type of access an individual user has to the range of Okta functions. You can assign more than one role to an individual admin if their job requires them to perform actions that span multiple roles.
The Help Desk, Group and Application admin roles also allow you to be very specific about which users or applications those admins are allowed to administer.
- The Help Desk admin role can be granted very granular access to only specific user groups.
- The Application admin role can be narrowed down to include access to administer only specific applications or instances of an application.
- The Group admin role can be granted granular access to specific user groups.
This type of delegated administration allows you to spread administrative duties and, more importantly, segregate duties so that no administrator has too much control.
For an at-a-glance overview of all admin assignments, navigate to Security > Administrators.
You can select which admins you want to view using the filters on the left-hand side, narrowing down which types of admins are displayed to either individuals or admin groups, or by specific admin role.
To view a list of individual admins and their privileges, click Users. Only individual users are displayed.
To view a list of all admin groups and their privileges, click Groups. Only admin groups are displayed.
Icons indicate whether a user was assigned an admin role as an individual or whether a role was assigned based on that user being a member of a group that has been assigned a specific admin role. Hovering over the privileges provides additional information about the type of access that user has been granted. For example, which user groups or applications they are allowed to administer.
To view all admins with a specific type of admin privilege, click the admin role you wish to filter for. Only users with that specific admin role are displayed.
To view a list of individual admins and their privileges, click Users. Only individual users are displayed.
You can assign admin privileges in two ways:
- Individually - Assign admin privileges to users one at a time, as needed. This works well if you only need to create a single or manageable number of admin accounts.
- Admin groups - Assign users to a group and then grant admin privileges to the entire group. This makes it easy to onboard large numbers of admins quickly. This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature.
The method for assigning admin privileges to individual users and to user groups is the same.
Onboarding large numbers of admins can be time consuming. To make the process simpler, you can take advantage of groups. By creating a group for specific admin roles, you can then assign admin privileges to everyone in that group. You can assign admin privileges to an Okta group, AD group or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. group.
Groups with group rules cannot be assigned an admin role. An admin is not allowed to use a group rule to assign users to Admin groups. This is to prevent delegated admins from erroneously increasing their or other user's administrative privileges.
Note: Only Super admins are able to manage groups with administrative roles. Group admins cannot manage groups that have admin privileges assigned to them. If a Group adminThe Group Administrator role stands apart from the other admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group. is assigned access to a group that is later assigned an admin role, the Group admin will no longer be able to make any changes over the group or group members.
To assign admin privileges to a user or an Okta group:
- Navigate to Security > Administrators.
- Click Add Administrator or Add Administrator Group, depending on whether you are assigning privileges to an individual or a group.
- In the Grant administrator role field, begin typing the name of the user or group you want to assign admin privileges to and select the correct user or group from the search list.
- Select the administrator roles you want that user or group to have. You can assign multiple admin roles to an individual or group.
Note: Some admin roles require additional input to specify further privileges. For example, when assigning Application Admin privileges, you are prompted to select which applications or appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instances that user can administer. Similarly, Help Desk admins can be granted access to all users or restricted to specific user groups.
- Click Add Administrator to complete the assignment.
On the Security > Administrator page, select the pencil icon to edit an individual's or group's privileges. Edit the permissions and then Save.
Click the X icon to delete an admin. If you delete an admin or admin group, you are revoking all administrator privileges, but not deleting the individual user or group.
If you remove a role from a group, then all members within that group will no longer have that admin role.
However, if a user has a role that is explicitly assigned to them, rather than implicitly assigned through group membership, then that role must be revoked on an individual basis.
For example, Jane Doe is part of the Application admin group and has also been individually granted OrgThe Okta container that represents a real-world organization. admin privileges. To remove her Application admin privileges, she must be removed from the Application admin group. To remove her Org admin privileges, you must select the pencil icon and deselect the Org admin privileges.
This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .
Super admins have the ability to select which email notifications each type of admin will receive by default. This allows you to manage the amount of email traffic the different admin roles receive, based on the needs and preferences of your organization. For a list of default admin email notifications, see Configure your email notifications
- Not all email types are displayed for all admin types. For example, App Import notifications are only available to Super, Org, and App admins.
- Email types which are not applicable to the selected admin type will not be listed for the Super admin to select.
- Admins will only receive emails for groups, apps, or users that they have permission to view. For example, if an App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control. is scoped only to certain apps and is subscribed to app-related emails they will only receive emails for the apps to which they are scoped.
- Once you enable this EA feature, the individual admins' email settings will be replaced by new default preferences pertinent to their admin type. If you disable this EA feature, the individual admin email preferences that were replaced will not be restored. However, the default email settings for that person's admin type will revert to the defaults set before this EA feature was enabled.
The Admin Email BCC option for Super users is not listed by default, you will have to select the Global Enablement from the drop-down to see that option.
Individual admins are still able to change their email settings to add or remove email notifications.
To set the default email notifications an admin type will receive:
- Navigate to Settings > Account.
- Scroll to Email Notifications and click Edit.
- From the drop-down, select the admin type that you want to receive the default email notifications.
- Select the email notifications you want these admins to receive.
- Click Save.
Super admins can generate a CSV file containing information about all admins, their assigned roles and permissions, and last sign-in.
To generate this data, navigate to Security > Administrators. Click the Request CSV button. When the report is ready you will receive an email with a link to download the report. The email is only sent to the requester but any Super admin with the link can download the report.
Note: Orgs who do not have this feature enabled will see the existing Download CSV button to download the report immediately.