Administrator comparison tables

Use these tables to compare admin permissions for Okta features, settings, and tasks.

Org-wide settings Okta sign-on policies
User management Multifactor Authentication
Group management API tokens
Application management OpenID Connect end-to-end scenario
Mobile policies OMM applications
Mobile devices OMM - Wifi (EA)
Hooks  

Org-wide settings

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and run reports Yes Yes No No Yes Yes No Yes No No
View Okta settings (themes, logo, contact info) Yes Yes No No Yes Yes No No No No
Grant access to Okta Support Yes No No No No No No No No No
Manage Profile Editor Yes Yes No Yes No No No No Yes* No
Manage profile mappings Yes No No Yes No No No No Yes* No
Manage sensitive attributes Yes No No No No No No No No No
Edit Okta settings Yes Yes No No No No No No No No
Add, remove, and view administrators Yes No No No No No No No No No
Add, delete, and edit authorization server scope, claim, and policies Yes No No No No No No No Yes No
View authorization server scope, claim, and policy Yes Yes No No Yes No No No Yes No
View System Log (system events) Yes Yes No Yes Yes Yes No Yes Yes No
Edit email and SMS template Yes Yes No No No No No No No No
Edit default email settings for other admins Yes No No No No No No No No No
View Device Trust enablement setting Yes Yes No No Yes No No No No No
Enable Device Trust setting Yes Yes No No No No No No No No
Close or retry tasks Yes No No No No No No No No No
Send custom notifications to users Yes Yes No No No No No No No No

* — Permissions apply only to OIDC apps only.

User management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View users Yes Yes Yes* Yes Yes Yes Yes* No Yes Yes
Activate & deactivate users Yes Yes Yes* No No No No No No No
Edit profiles Yes Yes Yes* No No No No No No No
Password resets, MFA resets Yes Yes Yes* No No No Yes* No No No
Create users Yes Yes Yes* No No No No No No No
Delete users Yes Yes Yes* No No No No No No No
Clear user session Yes Yes Yes No No No Yes* No No No
Choose not to receive email notifications about locked user accounts Yes Yes Yes* Yes Yes Yes No No Yes No
Enable Self Service Registration Yes No No No No No No No No No

* — Permissions apply only to groups that the admin is allowed to manage.

Group management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View groups Yes Yes Yes* Yes Yes Yes Yes* No Yes Yes
Add users to groups Yes Yes Yes^ No No No No No No Yes
Add users to a group assigned admin privileges Yes No No No No No No No No No
Remove users from groups Yes Yes Yes^ No No No No No No Yes
Create groups Yes Yes No No No No No No No No
Assign admin privileges to a group Yes No No No No No No No No No
Delete groups Yes Yes No No No No No No No No
Edit group MFA factors Yes Yes No No No Yes No No No No

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions to create, add, and remove users apply only to groups that the group admin manages. Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.

Application management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View applications or application instances Yes No No Yes^ Yes Yes No No Yes* No
Add and configure applications Yes No No Yes^ No No No No Yes* No
Assign user access to applications Yes No No Yes^ No No No No Yes* No
Create users in pending status via app import Yes No No Yes^ No No No No No No

* — Permissions apply only to OIDC apps only.

^ — Permissions apply only to applications the App Admin is allowed to manage. App Admins cannot edit VPN Notifications settings for VPN-required apps.

Mobile policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View and manage devices Yes Yes No No No Yes No No No No
Configure Okta mobile manager Yes Yes No No No Yes No No No No
View policies (Mobile) Yes Yes No No Yes Yes No No No No
Setting APNS Yes Yes No No No Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/Update/Delete Rules Yes Yes No No No Yes No No No No
Drag and Drop Policies for prioritization Yes Yes No No No Yes No No No No

Mobile devices

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Mobile tab on users section Yes Yes No No Yes Yes No No No No
View device details Yes Yes No No Yes Yes No No No No
Deprovision/clear PC/remote lock/reset Yes Yes No No No Yes No No No No
Deprovision/reset from Mobile tab Yes Yes No No No Yes No No No No

Hooks

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View hooks Yes No No No No No No No No No
Create and configure hooks Yes No No No No No No No No No

Okta sign-on policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Okta Sign-On policies Yes Yes No No Yes Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/update/delete rules Yes Yes No No No Yes No No No No
Drag and drop policies for prioritization Yes Yes No No No Yes No No No No
Edit MFA factors in policies Yes Yes No No No Yes No No No No

Multifactor Authentication

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Configure MFA factors

Yes

Yes

No

No

No

No

No

No

No

No

Enable MFA for the Admin Dashboard Yes No No No No No No No No No
Authorize RADIUS Agent Yes No No Yes Yes Yes No No No No

API tokens

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create User Tokens Yes Yes Yes No Yes No No No No Yes
View User Tokens Yes Yes

Yes^

No

Yes

Yes No No No

Yes*

Clear User Tokens Yes

Yes*

Yes*

No

Yes*

No No No No

Yes*

View User Social Tokens Yes

Yes

Yes Yes No No No No No No
Manage Tokens Yes Yes No No Yes No No No No No

* — Permissions apply only to self only.

^ — Permissions apply only to self and scoped members only.

OpenID Connect end-to-end scenario

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Yes No No Yes No No No No Yes No
Add a social IDP Yes Yes No No No No No No No No
Read-only access to OAuth clients through the API Yes Yes No No No No No No Yes No

OMM applications

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View Mobile tab on apps Yes No No Yes Yes Yes No No No No
Edit and save EAS settings Yes No No No No Yes No No No No
Edit native Mobile Access check boxes Yes No No No No Yes No No No No

OMM - Wifi (EA)

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-Only Admin
Mobile Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin
View wifi policies Yes Yes No No Yes Yes No No No No
Add/update/delete policies Yes Yes No No No Yes No No No No
Add/update/delete rules Yes Yes No No No Yes No No No No
Drag and drop policies for prioritization Yes Yes No No No Yes No No No No