Admin roles for ITP

Many enterprise roles in your org, from SecOps engineers to help desk admins, may need access to Identity Threat Protection with Okta AI. You can grant these users least-privilege access by customizing their admin roles.

Super admins

Super admin is the highest level of Okta permissions. Super admins can perform all admin activities for an org, including those for ITP, and have full management access.

Report admins

Report admins have view-only access to Okta reporting features. In orgs with ITP enabled, these admins can view dashboard widgets, System Logs, and observability reports.

Custom admin roles

Early Access release. See Enable self-service features.

Custom admin roles have granular permissions that are limited to a specific use case or a collection of resources. Custom ITP permissions include manually revoking a user session, viewing or managing policies, elevating or lowering user risk, and configuring the Shared Signals Framework receiver. See Role permissions and Configure custom admin roles for ITP

Super admins in AMFA orgs

Okta offers limited ITP permissions to orgs with Adaptive MFA. To access these features, you must be a directly assigned super admin (no group assignments). See Risk scoring and Shared Signal Framework Receiver.

Custom admin roles for ITP aren't available for AMFA orgs.

Compare role permissions

Permission	Super admin	ITP custom admin	Super admin (AMFA org)
Manage shared signals framework receiver streams	●	●	●
View shared signals framework receiver streams	●	●	●
Manage users' risk and manually elevate user risk	●	●
View users' risk	●	●
View risk detections by user, investigate and offer feedback	●	●
Manage entity risk policy	●	●
View entity risk policy	●	●
Manage session protection policy	●	●
View session protection policy	●	●
Configure Universal Logout	●	●
View dashboard widgets and reports	●	●*
Create a delegated Workflow for policy actions	●
Manually revoke a user session	●	●
Assign custom admin roles for ITP	●