Best practices for creating a custom role assignment

This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Custom Administrator Roles.

While the Custom Admin Roles feature offers you increased flexibility in combining the three components and the ability to grant granular roles to your admins, here are a few things to consider before you create admin assignments:

  • While you can use either Admin, Role, or Resource set to create a role assignment, we recommend that you think about the role assignment from a resource-first perspective. It’s helpful to think which resources should be accessible to your admin and which roles should be granted to them.

  • If you want an admin to be able to view all resources but only manage specific resources, create two separate role assignments for the admin.
    For example, you have a set of admins who need to view all users, but should only be able to edit users in some groups. In this case, create two roles: a View users role and an Edit users role. When you assign these roles to an admin:

    • Constrain the View users role to a resource set that has all users in it.

      Note

      You must create a resource set that constrains all users.

    • Constrain the Edit users role to a more granular resource set that contains the group of users the admins need access to edit.

  • You may have to assign several roles to an admin to constrain different permissions to different resource sets. See About role permissions.
    Consider a scenario where the Los Angeles Employees group is a subset of the United States Employees group. You want a group of help desk admins, who are members of the Los Angeles Help Desk group, to view all users in the United States Employees group. However, they should only be able to edit profiles of users who are members of the Los Angeles Employees group. In this case, you need:

    1. Resource sets:

      • A resource set that contains all groups of users that the help desk admin needs permissions to view. In this case, a resource set that contains all the individual groups used to manage the United States Employees. You can name this resource set All United States Employees.

      • A resource set that contains groups that the admin should have a specific permission for. In this case, a resource set that only contains the Los Angeles Employee group. You can name this resource set Los Angeles Employees.

    2. Roles:

      • A new role with the View users permission. You can save this custom role as Help Desk Viewer.

      • Another role with the Manage User profiles permission. You can save this custom role as Help Desk Profile Editor.

    3. To create the role assignments from the Los Angeles Help Desk group:

      • Assign and constrain the Help Desk Viewer role to the All United States Employees resource set.

      • Assign and constrain the Help Desk Profile Editor role to the Los Angeles Employees resource set.

  • To easily understand custom roles at a glance:

    • Name your custom roles and resource sets in a way that the names are self-explanatory about the permissions and resources included.

    • Enter the details about these in the description.

Related topics

About creating a customized admin role assignment

About role permissions

Create a role

Create a resource set