Standard administrator roles and permissions

Use these tables to compare standard admin permissions for Okta features, settings, and tasks.

Super admins can perform all admin tasks for an org and have full management access.

Org-wide settings

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View and run reports
View Okta settings (themes, logo, contact info)
Grant access to Okta Support
Manage Profile Editor ●*
Manage profile mappings ●*
Manage sensitive attributes
Edit Okta settings
Add, remove, and view administrators
Add, delete, and edit authorization server scope, claim, and policies
View authorization server scope, claim, and policy
View System Log (system events)
Edit email and SMS template
Edit default email settings for other admins
View Device Trust enablement setting
Enable Device Trust setting
Close or retry tasks
Send custom notifications to users
Apply multibrand customization

Manage (enable, disable, update) CAPTCHA enablement settings
View CAPTCHA enablement settings
Manage log streaming

* — Permissions apply only to OIDC apps.

User management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View users ●* ●*
Create users ●*
Delete users ●*
Suspend users ●° ●*°
Deactivate users ●*
Activate users ●° ●*°
Change user types ●*
Sign out users ●*
Clear user sessions ●° ●*° ●*°
View logs ●° ●* ●°
Edit profiles ●* ●^
Password resets, MFA resets ●* ●*
Choose not to receive email notifications about locked user accounts ●*
Reset user behavior profile ●* ●*
View user behavior profile

View user types

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions apply only on user import for apps that don't have profile source configured.

° — Admin can perform the action on super admins.

Group management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View groups ●* ●*
Add users to groups ●° ●^° ●*°
Add users to a group with assigned admin privileges
Remove users from groups ●° ●^° ●*°
Create groups
View group rules

●×

Add/edit/delete group rules

Assign admin privileges to a group
Delete groups

Edit group MFA authenticators

* — Permissions apply only to groups that the admin is allowed to manage.

^ — Permissions to create, add, and remove users apply only to groups that the group admin manages. Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.

× — Permissions apply only if the admin has access to all users and groups.

° — Admin can perform the action on super admins.

  • Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no longer be able to make any changes over the group or group members.

  • For orgs with group profile feature enabled, group membership admins can't modify group name and description.

Service accounts management

Early Access release. To enable it, contact Okta Support.

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only Admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Create, edit, or remove service accounts

Application management

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View applications or application instances ●^ ●*
Add and configure applications ●^ ●*
Assign user access to applications ●^ ●*
Create users in staged status through app import ●^

* — Permissions apply only to OIDC apps.

^ — Permissions apply only to apps that the app admin is allowed to manage.

Devices

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Manage devices
View devices and device details
Suspend or deactivate devices
View and add Device Assurance policies

View device integrations

Hooks

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View hooks
Create and configure hooks

Policies

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View Global Session Policies
Add/update/delete Global Session Policies
Add/update/delete Global Session Policy rules

View authentication policies

●*

Add/update/delete authentication policies

●*

Assign authentication policies to apps

●*

Add/update/delete authentication policies rules

●*

View user profile policies

Add/update/delete user profile policies

Drag and drop policies for prioritization
Edit MFA authenticators in policies

* — Permissions apply only to authentication policies. App admins can manage authentication policies only if they're allowed to manage all apps assigned to the policy.

Org security

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View network zones
Manage network zones
View org behavior profile
Manage org behavior profile
View ThreatInsight configuration
Manage ThreatInsight configuration

Multifactor Authentication

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Configure authenticators

Enable MFA for the Admin Dashboard
Authorize RADIUS Agent

API tokens

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Create user tokens ●* ●* ●* ●* ●*
View user tokens ●^ ●* ●*
Clear user tokens ●* ●* ●* ●^ ●*
View user social tokens
Manage tokens ●* ●*

* — Permissions apply only to self.

^ — Permissions apply only to self and scoped members.

OpenID Connect end-to-end scenario

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Add a social IDP
Read-only access to OAuth clients through the API

Identity Governance

Access certifications admin and access requests admin roles are available only if you're subscribed to Okta Identity Governance.

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

View all campaigns
Create campaigns
Edit/launch scheduled campaigns
End active campaigns
Manage user access applications within Access Requests
Act as an administrator within Access Requests

Realms

Okta Identity Governance is required for realms. See Okta Identity Governance for more information.

Permission
Super Admin
Org Admin
Group Admin
App Admin
Read-only admin
Help Desk Admin
Report Admin
API Access Management Admin
Group Membership Admin

Access Requests Admin

Access Certifications Admin

Create realms
View realms designation

Update realms

Delete realms
Update user realms designation (move user from one realm to another)

Mover users individually

Bulk move users between realms

Create realms assignment

Setting up a workflow with realms

Workflows

The Okta super admin and the Workflows Administrator role have full administration and management privileges within the Okta Workflows product.

The Workflows Administrator role has no permissions to perform any actions in the Okta Admin Console.

A user or group assigned to the Workflows Administrator role can't grant the Workflows Administrator role to other users or groups in the Okta org. Only an Okta super admin can assign that role through the Okta Admin Console.

All Okta Workflows roles are assigned to users and groups using the Workflows Console, except for the Workflows Administrator role. See Manage Workflow roles.

For a complete summary of the permissions for this role, see Resource permissions.