Manage Okta for AI Agents admin roles
To maintain a secure and scalable environment, Okta recommends delegating admin tasks according to the principle of least privilege. This approach ensures that tasks are assigned to the most appropriate admins rather than relying solely on super admins.
To support this, Okta provides an AI agent admin role. Admins with this role have permission to view and manage your org's AI agents. You can also use existing standard and custom admin roles to delegate more tasks to admins.
For information on admin role assignments in Okta, see Set up administrators.
AI agent admins
Users with the AI agent admin role can perform these AI agent-related tasks in Okta:
- Create, update, and delete AI agents
- Create, update, and delete MCP servers
- Configure AI agent imports for an app integration
- View users, groups, and apps
- View authorization servers, resource servers, and client authentication settings
- View SaaS app and Okta service accounts
- View System Log events
- View realms
Delegate more tasks to admins
The following table outlines the minimum admin roles and permissions that are required to perform various AI agent configuration tasks. By default, super admins can also perform these tasks.
| Task | Description | Required admin role |
|---|---|---|
| Add existing app integrations | Integrate an AI agent provider app from the Okta Integration Network. | App admin or a custom role with the Manage applications permission. |
| Create OpenID Connect app integrations | Integrate a custom OIDC app for user sign-on. | App admin or a custom role with the Manage applications permission. |
| Configure resource server connectors | Configure an app's resource server connector so you can create a resource connection between the app and an AI agent. | App admin or a custom role with the Manage applications permission. |
| Create an authorization server | Create custom authorization servers to manage access between Okta and client apps. | Custom role with the Manage authorization server permission. |
| Manage groups | Create user groups to manage the ownership of your AI agents. | Org admin or a custom role with the Manage groups permission. |
| Request access to AI agents | Streamline the process of requesting access to user sign-on apps that are linked to AI agents. | Access requests admin |
| Certify AI agents | Review and certify access to resources, including user sign-on apps that are linked to active AI agents. | Access certifications admin |