Standard administrator roles and permissions
Use these tables to compare standard admin permissions for Okta features, settings, and tasks.
Super admins can perform all admin tasks for an org and have full management access.
Org-wide settings
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View and run reports | ● | ● | ● | ● | |||||||
View Okta settings (themes, logo, contact info) | ● | ● | ● | ||||||||
Grant access to Okta Support | ● | ||||||||||
Manage Profile Editor | ● | ● | ● | ●* | |||||||
Manage profile mappings | ● | ● | ●* | ||||||||
Manage sensitive attributes | ● | ||||||||||
Edit Okta settings | ● | ● | |||||||||
Add, remove, and view administrators | ● | ||||||||||
Add, delete, and edit authorization server scope, claim, and policies | ● | ● | |||||||||
View authorization server scope, claim, and policy | ● | ● | ● | ● | |||||||
View System Log (system events) | ● | ● | ● | ● | ● | ● | |||||
Edit email and SMS template | ● | ● | |||||||||
Edit default email settings for other admins | ● | ||||||||||
View Device Trust enablement setting | ● | ● | ● | ||||||||
Enable Device Trust setting | ● | ● | |||||||||
Close or retry tasks | ● | ● | |||||||||
Send custom notifications to users | ● | ● | |||||||||
Apply multibrand customization | ● | ● | |||||||||
Manage (enable, disable, update) CAPTCHA enablement settings | ● | ● | |||||||||
View CAPTCHA enablement settings | ● | ● | ● | ||||||||
Manage log streaming | ● |
* — Permissions apply only to OIDC apps.
User management
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View users | ● | ● | ●* | ● | ● | ●* | ● | ● | ● | ● | |
Create users | ● | ● | ●* | ||||||||
Delete users | ● | ● | ●* | ||||||||
Suspend users | ● | ●° | ●*° | ||||||||
Deactivate users | ● | ● | ●* | ||||||||
Activate users | ● | ●° | ●*° | ||||||||
Change user types | ● | ● | ●* | ||||||||
Sign out users | ● | ● | ●* | ||||||||
Clear user sessions | ● | ●° | ●*° | ●*° | |||||||
View logs | ● | ●° | ●* | ●° | |||||||
Edit profiles | ● | ● | ●* | ●^ | |||||||
Password resets, MFA resets | ● | ● | ●* | ●* | |||||||
Choose not to receive email notifications about locked user accounts | ● | ● | ●* | ● | ● | ||||||
Reset user behavior profile | ● | ● | ●* | ●* | |||||||
View user behavior profile | ● | ● | ● | ||||||||
View user types |
● |
|
|
● |
● |
|
|
● |
|
* — Permissions apply only to groups that the admin is allowed to manage.
^ — Permissions apply only on user import for apps that don't have profile source configured.
° — Admin can perform the action on super admins.
Group management
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View groups | ● | ● | ●* | ● | ● | ●* | ● | ● | ● | ● | |
Add users to groups | ● | ●° | ●^° | ●*° | |||||||
Add users to a group with assigned admin privileges | ● | ||||||||||
Remove users from groups | ● | ●° | ●^° | ●*° | |||||||
Create groups | ● | ● | |||||||||
View group rules |
● |
● | ●× |
|
● |
|
|
|
|
|
|
Add/edit/delete group rules |
● |
● |
|
|
|
|
|
|
|
||
Assign admin privileges to a group | ● | ||||||||||
Delete groups | ● | ● | |||||||||
Edit group MFA authenticators |
● | ● |
* — Permissions apply only to groups that the admin is allowed to manage.
^ — Permissions to create, add, and remove users apply only to groups that the group admin manages. Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.
× — Permissions apply only if the admin has access to all users and groups.
° — Admin can perform the action on super admins.
-
Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no longer be able to make any changes over the group or group members.
-
For orgs with group profile feature enabled, group membership admins can't modify group name and description.
Service accounts management
Early Access release. To enable it, contact Okta Support.
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only Admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Create, edit, or remove service accounts | ● |
Application management
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View applications or application instances | ● | ●^ | ● | ●* | ● | ● | |||||
Add and configure applications | ● | ●^ | ●* | ||||||||
Assign user access to applications | ● | ●^ | ●* | ||||||||
Create users in staged status through app import | ● | ●^ |
* — Permissions apply only to OIDC apps.
^ — Permissions apply only to apps that the app admin is allowed to manage.
Devices
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Manage devices | ● | ● | |||||||||
View devices and device details | ● | ● | ● | ● | ● | ||||||
Suspend or deactivate devices | ● | ● | |||||||||
View and add Device Assurance policies | ● | ● | |||||||||
View device integrations |
● | ● |
Hooks
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View hooks | ● | ● | |||||||||
Create and configure hooks | ● |
Policies
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View Global Session Policies | ● | ● | |||||||||
Add/update/delete Global Session Policies | ● | ● | |||||||||
Add/update/delete Global Session Policy rules | ● | ● | |||||||||
View authentication policies |
● | ● | ●* | ● | |||||||
Add/update/delete authentication policies |
● | ●* | |||||||||
Assign authentication policies to apps |
● | ●* | |||||||||
Add/update/delete authentication policies rules |
● | ●* | |||||||||
View user profile policies |
● | ● | |||||||||
Add/update/delete user profile policies |
● | ||||||||||
Drag and drop policies for prioritization | ● | ||||||||||
Edit MFA authenticators in policies | ● |
* — Permissions apply only to authentication policies. App admins can manage authentication policies only if they're allowed to manage all apps assigned to the policy.
Org security
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View network zones | ● | ● | ● | ||||||||
Manage network zones | ● | ● | |||||||||
View org behavior profile | ● | ● | ● | ||||||||
Manage org behavior profile | ● | ● | |||||||||
View ThreatInsight configuration | ● | ● | ● | ||||||||
Manage ThreatInsight configuration | ● | ● |
Multifactor Authentication
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Configure authenticators |
● | ● | |||||||||
Enable MFA for the Admin Dashboard | ● | ||||||||||
Authorize RADIUS Agent | ● | ● | ● |
API tokens
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Create user tokens | ●* | ●* | ●* | ●* | ●* | ||||||
View user tokens | ● | ● | ●^ | ●* | ●* | ||||||
Clear user tokens | ● | ●* | ●* | ●* | ●^ | ●* | |||||
View user social tokens | ● | ● | ● | ● | |||||||
Manage tokens | ● | ● | ●* | ●* |
* — Permissions apply only to self.
^ — Permissions apply only to self and scoped members.
OpenID Connect end-to-end scenario
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Create and modify an OIDC App, including registering an OAuth client. Can be restricted to OIDC client apps. |
● | ● | ● | ||||||||
Add a social IDP | ● | ● | |||||||||
Read-only access to OAuth clients through the API | ● | ● | ● | ● | ● |
Identity Governance
Access certifications admin and access requests admin roles are available only if you're subscribed to Okta Identity Governance.
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
View all campaigns | ● | ● | |||||||||
Create campaigns | ● | ● | |||||||||
Edit/launch scheduled campaigns | ● | ● | |||||||||
End active campaigns | ● | ● | |||||||||
Manage user access applications within Access Requests | ● | ● | |||||||||
Act as an administrator within Access Requests | ● | ● |
Realms
Okta Identity Governance is required for realms. See Okta Identity Governance for more information.
Permission
|
Super Admin
|
Org Admin
|
Group Admin
|
App Admin
|
Read-only admin
|
Help Desk Admin
|
Report Admin
|
API Access Management Admin
|
Group Membership Admin
|
Access Requests Admin |
Access Certifications Admin |
---|---|---|---|---|---|---|---|---|---|---|---|
Create realms | ● | ● | |||||||||
View realms designation | ● | ● | ● | ● | ● | ● | ● | ● | |||
Update realms |
● | ● | |||||||||
Delete realms | ● | ● | |||||||||
Update user realms designation (move user from one realm to another) | ● | ● | |||||||||
Mover users individually |
● | ● | |||||||||
Bulk move users between realms | ● | ||||||||||
Create realms assignment |
● | ||||||||||
Setting up a workflow with realms | ● | ● | ● |
Workflows
The Okta super admin and the Workflows Administrator role have full administration and management privileges within the Okta Workflows product.
The Workflows Administrator role has no permissions to perform any actions in the Okta Admin Console.
A user or group assigned to the Workflows Administrator role can't grant the Workflows Administrator role to other users or groups in the Okta org. Only an Okta super admin can assign that role through the Okta Admin Console.
All Okta Workflows roles are assigned to users and groups using the Workflows Console, except for the Workflows Administrator role. See Manage Workflow roles.
For a complete summary of the permissions for this role, see Resource permissions.