Custom Administrator Roles

This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Custom Administrator Roles.

What’s new?

The Custom Administrator Roles feature gives you the ability to configure granular permissions within a role. This feature offers:

  • More control over creation of roles in a self-service way. You can create custom role assignments based on your specific use case.

  • Increased org security. You can assign granular permissions to your admins in a way that only gives them permissions that they need to perform a task. This reduces the need to assign the Super admin and Org admin roles to your users.

  • Simplified admin audits and compliance review with more visibility over granular admin permissions

An admin role assignment consists of these three components:

  • Admin
    The user or the user group that you need to grant admin permissions to.

  • Role
    A set of permissions that you constrain an admin to. There are two types of roles, standard and custom. You can create a maximum of 100 roles for an org. Currently, permissions are limited to managing user, group, and app activity only.

  • Resource set
    A collection of resources. You can create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set. Currently, only user groups and apps in your org are considered as resources.

Note
  • Resource sets are only available for custom admin roles.
  • You can only have 1,000 admins who have the same role and resource set combination constrained to them.

You have the flexibility to create or select any one of these components as a starting point for creating a custom admin role assignment. Before creating an admin role assignment, we recommend that you see Best practices for creating a custom role assignment.

Impact on Standard roles

  • Your pre-existing roles (super admin, org admin, group admin, app admin, read-only admin, mobile admin, help desk admin, report admin, API access management admin, and group membership admin) are referred to as Standard roles.

  • The standard role functionality is the same as earlier but the UI is different. See Use standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

Limitations

  • If you have the Custom Admin Roles feature enabled, you can't disable the Admin Experience Redesign feature.

  • Admins who are only assigned custom admin roles:

    • Will not receive any admin email notifications and are not able to opt-in to admin email notifications.

    • Can’t manage a user with a super admin assignment.

  • You can only get the admin reports from the Admin role assignment reports page in the Admin Console. Currently, getting reports using APIs is not supported.

Known Issues

  • We recommend that you manage standard role assignments that have more than 100 groups or apps assigned from the user or group's profile page for better load times. You can search for the group or the user's profile from the search bar on the Administrators page. Alternatively, you can:

    • Go to Directory > People and search for the user.

    • Go to Directory > Groups and search for the group.

    • Go to Security > AdministratorsAdmins tab and search for the user or group.

  • Use the Admin assignment by role page instead of Admin assignment by admin page to edit admin role assignments for users who have the following group assigned standard roles:

    • Help desk admin

    • Group admin

    • Group membership admin

    • App admin

Related topics

About creating a customized admin role assignment

Best practices for creating a custom role assignment

About the Administrators page