About help desk administrators
Help desk administrators have a fixed set of common help desk actions. Assigning a help desk admin is a strategic security measure because it prevents you from granting unnecessary permissions to help desk personnel.
Help desk admins are useful in the following scenarios:
- You have a single help desk that does not need excessive permissions to perform the role.
- You have a Tier 1 IT that handles high volume account transactions such as password resets.
- Your organization has branches, brands, or franchises that have separate IT teams.
- You have business units that need to perform actions on just their own users.
- You have outsourced service vendors that need to perform actions on just their own users.
Help desk admin permissions
Help desk admins have these fixed permissions:
- Reset password
- Create a temporary password for users in a Pending status using "set password and activate" button
- Reset Multifactor Authentication
- Unlock account
- Clear user session
- View user profiles in the groups to which the admin has been assigned
A help desk admin can perform these actions on all users or on select groups of users. For more granular administrative control, you can assign the help desk admin to a select a group of users and prevent them from even viewing users outside of their group.
Help desk admin restrictions
Help desk admins can't performing the following actions:
- Create and activate users
- Suspend and delete users
- Assign users to apps or groups
- Initiate Okta directory specific actions
- View or modify users outside the assigned group(s)
- Create API tokens
While help desk admins can't create API tokens, you can create an API token for this role's privileges for any given help desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. See Getting started with the Okta API.