Role permissions

This topic describes the role permissions that you can add to your custom admin roles.

User permissions

Permission

Description

Manage users Gives your delegated admin the ability to view, create, edit, and delete all profile and credential information for users.
Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
Create users Gives your delegated admin the ability to create users.
Edit users' profile attributes Gives your delegated admin the ability to only edit the value of their users' profile attributes.
However, this permission doesn't allow the delegated admins to create or edit custom attributes from the Profiles page in the directory, or to manage profile mappings.
Edit users' lifecycle states* Gives your delegated admin the ability to manage user lifecycle operations, such as activating, deactivating, reactivating, and suspending users.
Activate users* Gives your delegated admin the ability to activate user accounts.
Deactivate users* Gives your delegated admin the ability to deactivate user accounts.
Suspend users* Gives your delegated admin the ability to suspend users' access to Okta. When a user is suspended, their user sessions are also cleared.
Unsuspend users* Gives your delegated admin the ability to restore users' access to Okta.
Delete users* Gives your delegated admin the ability to permanently delete user accounts.
Unlock users* Gives your delegated admin the ability to unlock users who have been locked out of Okta.
Clear users' sessions* Gives your delegated admin the ability to clear all active Okta sessions and OAuth tokens for an end user.
Edit users' authenticator operations* Gives your delegated admin the ability to manage users' credential operations, such as resetting passwords and multifactor authentication (MFA), including YubiKey enrollments.
Reset users' authenticators* Gives your delegated admin the ability to reset users' MFA authenticators.
Reset users' passwords* Gives your delegated admin the ability to reset users' passwords.
Set users' temporary password* Gives your delegated admin the ability to expire a user's password and set a new temporary password.
View users and their details Gives your delegated admin the ability to read users' profile and credential information.
Delegated admins with this permission can only view user credential fields and not the credential values themselves.
Edit users' group membership* Gives your delegated admin the ability to manage a users' group membership.

Your delegated admin also needs to have the Manage group membership permission from the Group permissions section for the group they can add a user to.

Edit users' application assignments* Gives your delegated admin the ability to manage a user's app assignments.

Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section. This enables them to view and select the apps to assign to the user.

Manage API tokens Gives your delegated admin the ability to clear and view tokens.
View API tokens Gives your delegated admin the ability to view tokens.

* — Permissions grant view-only access to the Username, First name, Last name, Primary email, and Mobile phone profile attributes only.

You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:

  • Create users
  • Manage users' authenticator operations
  • Edit users' profile attributes
  • Manage group membership

Group permissions

Permission

Description

Manage groups Gives your delegated admin the ability to view, create, edit, and delete groups in your org.
Create groups Gives your delegated admin the ability to create groups if their admin role assignment is constrained to the entire org.
View groups Gives your delegated admin the ability to only view groups and the users and apps that are assigned to that group. in your org.
Manage group membership Gives your delegated admin the ability to view, edit, and delete user membership within a group in your org.

Your delegated admin also needs to have the Edit users' group membership permission from the User permissions section to view and select which users they can add to the group.

Edit group's application assignments Gives your delegated admin the ability to manage a group's app assignment.

Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section. This enables them to view and select the apps they can add to the group.

Identity and access management permissions

Permission

Description

View roles, resources, and admin assignments Gives the delegated admin view-only permission for the roles, resource sets, and admin assignments in your org. Viewing information in the Admin Console also requires these permissions:
  • View users and their details permission: Allow the delegated admin to view your org's admins. This permission appears in the User permissions section.
  • View applications and their details: Allow the delegated admin to view apps. This permission appears in the Application permissions section.
Alternatively, you can assign the Read-only administrators role to the admins with this permission to grant them full read-only access to the Admin Console.

Application permissions

Permission

Description

Manage applications Gives your delegated admin the ability to view, create, edit, and delete apps in your org.
View applications and their details Gives your delegated admin the ability to only view apps that are assigned to your org.
View client credentials Gives your delegated admin the ability to view OAuth client secrets.

Early Access release. See Enable self-service features.

Manage application general settings

Gives your delegated admin the ability to manage only the general app settings in your org.
Edit app's user assignments Gives your delegated admin the ability to manage the users that are assigned to the app.

Your delegated admin also needs to have either the Edit groups' application assignments permission from the Group permissions section or Edit users' application assignments permission from the User permissions section. This enables them to view and select which users or groups of users to add to the app.

Gives your delegated admin the ability to view the following provisioning error tasks:

  • Application assignments encountered errors
  • Group push mapping encountered errors
  • Error Profile push updates encountered errors

See Monitor your tasks.

Support permissions

Early Access release. See Enable self-service features.

Permission

Description

View, create, and manage Okta support cases

Gives your delegated admin the ability to manage the support cases that they've opened.

Okta is slowly rolling out this permission to orgs and might not yet be available.

Profile source permissions

Permission

Description

Run imports Gives your delegated admin the ability to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import.

Your delegated admin needs the Edit users' profile attributes permission from the User permissions section to modify any existing users who are included in the import.

Workflow permissions

Permission

Description

Run delegated flow Gives your delegated admin the ability to run flows from within the Admin Console.
View delegated flow Gives your delegated admin the ability to only view flows from within the Admin Console.

Authorization server permissions

Permission

Description
Manage authorization server Gives your delegated admin the ability to view, create, edit, and delete authorization servers in your org.
View authorization server Gives your delegated admin the ability to view only the authorization servers in your org.

Customization permissions

Permission

Description

Manage customizations Gives your delegated admin the ability to view, create, edit, and delete branding customizations in your org.
View customizations Gives your delegated admin the ability to view only the branding customizations in your org.

Directories permissions

Permission

Description

Manage directories Gives your delegated admin the ability to view, create, edit, and delete directory integration apps in your org.

Managing app user assignments and running imports for such apps may require permissions for users and groups.

View directories Gives your delegated admin the ability to view only the directory integration apps and their details.

Identity Provider permissions

Permission

Description

Manage identity providers Gives your delegated admin the ability to view, create, edit, and delete IdP configurations.
View identity providers Gives your delegated admin the ability to only view IdP configurations.

Devices permissions

Early Access release. See Enable self-service features.

Permission

Description

Manage devices Gives your delegated admin the ability to view, suspend, unsuspend, activate, deactivate, and delete devices in your org.
View devices Gives your delegated admin the ability to view devices in your org.
Activate devices Gives your delegated admin the ability to view and activate devices in your org.
Deactivate devices Gives your delegated admin the ability to view and deactivate devices in your org.

If your delegated admin deactivates a device, enrolled factors on the device are deactivated, and users must re-enroll factors on the device when it's activated. See Device lifecycle.

Suspend devices Gives your delegated admin the ability to view and suspend devices in your org.
Unsuspend devices Gives your delegated admin the ability to view and unsuspend devices in your org.
Delete devices Gives your delegated admin the ability to view and delete devices in your org.

Realms permissions

Early Access release. See Enable self-service features.

Permission

Description

Manage realms Gives your delegated realm admin the ability to manage one or more realms in your org.
Manage users Gives your delegated realm admin the ability to add, delete, and move users between realms.

The Manage realms permission is required for a delegated admin to move users between realms.

A delegated realm admin can also configure granular permissions within a role. For example, if you give group membership and app permissions to users in the realm, you can assign them to an app or group that's in the resource set.

Agent permissions

Permission

Description

View agents Gives your delegated admin the ability to view agent statuses and download agents.
Register agents Gives your delegated admin the ability to register agents and domains.
Manage agents Gives your delegated admin the ability to manage agent communication and update agents.

Related topics

Create a role

Create a resource set