Set up partner admins for Secure Partner Access

Early Access release

To grant partner admins management permissions to a Secure Partner Access portal, you must complete the following:

• Restrict access to the Okta Admin Console

• Customize your partner admin roles

• Assign users to the role

• Review attribute-based access control practices

Restrict access to the Okta Admin Console

Okta admins have access to the Okta Admin Console by default. However, some admins, such as Secure Partner Access portal admins, may not require access to the Admin Console. As a super admin, you can allow or deny a partner admin access to the Admin Console. You can remove the Admin Console app from partner admins who don't need access while retaining their admin privileges for the portal that they're assigned.

If partner admins were created before access to the Okta Admin Console was restricted, the Admin Console will still be assigned to them. You must manually remove the partner admins from the Admin Console. Restricting access to Admin Console only applies to admins created after configuring the admin role assignment.

To restrict Admin Console access, follow the steps in Restrict access to the Admin Console.

Customize your partner admin roles

When Secure Partner Access is enabled in your org, the AdministratorsRoles page in the Admin Console displays a default Partner admin role. The role has all the permissions that partner admins need to manage a portal. You can modify the permissions for this role, but Okta recommends that you don't add any additional permissions.

See Secure Partner Access permissions to see the permissions that are granted to the role. To modify the role, follow the steps in Edit a role.

Assign users to the role

To delegate permissions to a partner admin, you must complete the following tasks:

• Create a resource set. Add the realms that are part of the resource set. Okta doesn't recommend adding Secure Partner Access users to partner realms, as partner admins have management rights over those realms.

• Create an admin assignment using the Partner admin role:

  • Create an admin assignment using a resource set

  • Create an admin role assignment using an admin

  • Create an admin assignment using a role

For additional information about the permissions you can grant to partner admins, see Secure Partner Access permissions.

Review attribute-based access control practices

Although delegated partner admins can't view, create, or edit group rules, these rules still apply to partner users since they operate like any other user in Okta. A partner admin with permissions to edit users can assign values to attributes that are used in group rules. This can result in partner users being placed in groups they shouldn't belong to, potentially granting them unauthorized access to apps, groups, and entitlements.

To mitigate this risk, you can take the following steps:

1. Use attribute conditions in the customer admin role to prevent partner admins from editing or assigning values to attributes linked to group rules. See Permission conditions.

   • Optionally, set Default values for custom attributes. This method provides you with precise control over which admins in your org can perform specific actions. See Add custom attributes to an Okta user profile.

2. Revise the group rules to ensure that partner users are excluded. See Edit group rules.

Related topics

Secure Partner Access permissions

Manage Secure Partner Access