About role permissions

This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Custom Administrator Roles.

User permissions

Permission

Description

Manage users Gives your delegated admin the ability to view, create, edit, and delete all profile and credential information for users.
Create users Gives your delegated admin the ability to create users. 
Edit users' profile attributes Gives your delegated admin the ability to only edit the value of their users' profile attributes.

However, this permission doesn't allow the delegated admins to create or edit custom attributes from the Profiles page in the Directory, or manage profile mappings.

Edit users' lifecycle states Gives your delegated admin the ability to manage user lifecycle operations, such as activating, deactivating, reactivating, and suspending users.  
Edit users' authenticator operations Gives your delegated admin the ability to manage users' credential operations, such as resetting passwords and multifactor authentication (MFA).
View users and their details Gives your delegated admin the ability to read users' profile and credential information. 
Edit users' group membership Gives your delegated admin the ability to manage a users' group membership. Select this permission to grant your delegated admin the ability to add user to a group.

Your delegated admin also needs to have the Manage group membership permission from the Group permissions section for the group they can add a user to.

Edit users’ application assignments

Gives your delegated admin the ability to manage a user's application assignment.

Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section to view and select the applications they can add to the group.

Group permissions

Permission

Description

Manage groups

Gives your delegated admin the ability to view, create, edit, and delete groups in your Okta organization.

Create groups Gives your delegated admin the ability to create groups provided that their admin role assignment is constrained to the entire org.
View groups Gives your delegated admin the ability to only view groups and the users, applications, and directories assigned to that group in your Okta organization.
Manage group membership Gives your delegated admin the ability to view, edit, and delete user membership within group in your Okta organization.

Your delegated admin also needs have the Edit users' group membership permission from the User permissions section to view and select which users they can add to the group.

Edit group’s application assignments

Gives your delegated admin the ability to manage a group’s application assignment.

Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section to view and select the applications they can add to the group.

Note

You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:

  • Create users
  • Manage users' authenticator operations
  • Edit users' profile attributes
  • Manage group membership

Application permissions

Permission

Description

Manage applications Gives your delegated admin the ability to view, create, edit, and delete applications in your Okta organization.
View applications and their details Gives your delegated admin the ability to only view applications assigned to your Okta organization.
Edit application's user assignments Gives your delegated admin the ability to manage the users assigned to the application.

Your delegated admin also needs to have either the Edit groups' application assignments permission from the Group permissions section or Edit users' application assignments permission from the User permissions section to view and select which users or groups of users they can add to the application.

Related topics

Create a role

Create a resource set