Administrator roles and permissions

Use these tables to compare admin permissions for Okta features, settings, and tasks.

Org-wide settings Okta sign-on policies
User management Multifactor Authentication
Group management API tokens
Application management OpenID Connect end-to-end scenario
Mobile policies OMM applications
Mobile devices OMM - Wifi (EA)
Hooks  

Org-wide settings

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and run reports
View Okta settings (themes, logo, contact info)
Grant access to Okta Support
Manage Profile Editor ✓*
Manage profile mappings ✓*
Manage sensitive attributes
Edit Okta settings
Add, remove, and view administrators
Add, delete, and edit authorization server scope, claim, and policies
View authorization server scope, claim, and policy
View System Log (system events)
Edit email and SMS template
Edit default email settings for other admins
View Device Trust enablement setting
Enable Device Trust setting
Close or retry tasks
Send custom notifications to users

* — Permissions apply only to OIDC apps only.

User management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View users ✓* ✓*
Activate & deactivate users ✓*
Edit profiles ✓*
Password resets, MFA resets ✓* ✓*
Create users ✓*
Delete users ✓*
Clear user session ✓*
Choose not to receive email notifications about locked user accounts ✓*
Enable Self Service Registration

* — Permissions apply only to groups that the admin is allowed to manage.

Group management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View groups ✓* ✓*
Add users to groups ✓^
Add users to a group assigned admin privileges
Remove users from groups ✓^
Create groups
Assign admin privileges to a group
Delete groups
Edit group MFA factors

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions to create, add, and remove users apply only to groups that the group admin manages. Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.

Application management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View applications or application instances ✓^ ✓*
Add and configure applications ✓^ ✓*
Assign user access to applications ✓^ ✓*
Create users in pending status via app import ✓^

* — Permissions apply only to OIDC apps only.

^ — Permissions apply only to applications the App Admin is allowed to manage. App Admins cannot edit VPN Notifications settings for VPN-required apps.

Mobile policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and manage devices
Configure Okta mobile manager
View policies (Mobile)
Setting APNS
Add/update/delete policies
Add/Update/Delete Rules
Drag and Drop Policies for prioritization

Mobile devices

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Mobile tab on users section
View device details
Deprovision/clear PC/remote lock/reset
Deprovision/reset from Mobile tab

Hooks

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View hooks
Create and configure hooks

Okta sign-on policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Okta Sign-On policies
Add/update/delete policies
Add/update/delete rules
Drag and drop policies for prioritization
Edit MFA factors in policies

Multifactor Authentication

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Configure MFA factors

Enable MFA for the Admin Dashboard
Authorize RADIUS Agent

API tokens

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create User Tokens
View User Tokens ✓^ ✓*
Clear User Tokens ✓* ✓* ✓* ✓*
View User Social Tokens
Manage Tokens

* — Permissions apply only to self only.

^ — Permissions apply only to self and scoped members only.

OpenID Connect end-to-end scenario

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Add a social IDP
Read-only access to OAuth clients through the API

OMM applications

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Mobile tab on apps
Edit and save EAS settings
Edit native Mobile Access check boxes

OMM - Wifi (EA)

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View wifi policies
Add/update/delete policies
Add/update/delete rules
Drag and drop policies for prioritization