About role permissions
User permissions
|
Permission |
Description |
|---|---|
| Manage users | Gives your delegated admin the ability to view, create, edit, and delete all profile and credential information for users. |
| Create users | Gives your delegated admin the ability to create users. |
| Edit users' profile attributes |
Gives your delegated admin the ability to only edit the value of their users' profile attributes.
However, this permission doesn't allow the delegated admins to create or edit custom attributes from the Profiles page in the Directory, or to manage profile mappings. |
| Edit users' lifecycle states | Gives your delegated admin the ability to manage user lifecycle operations, such as activating, deactivating, reactivating, and suspending users. |
| Activate users | Gives your delegated admin the ability to activate user accounts. |
| Deactivate users | Gives your delegated admin the ability to deactivate user accounts. |
| Suspend users | Gives your delegated admin the ability to suspend users' access to Okta. When a user is suspended, their user sessions are also cleared. |
| Unsuspend users | Gives your delegated admin the ability to restore users' access to Okta. |
| Delete users | Gives your delegated admin the ability to permanently delete user accounts. |
| Unlock users | Gives your delegated admin the ability to unlock users who have been locked out of Okta. |
| Clear users' sessions | Gives your delegated admin the ability to clear all active Okta sessions and OAuth tokens for an end user. |
| Edit users' authenticator operations | Gives your delegated admin the ability to manage users' credential operations, such as resetting passwords and multifactor authentication (MFA), including YubiKey enrollments. |
| Reset users' authenticators | Gives your delegated admin the ability to reset users' MFA authenticators. |
| Reset users' passwords | Gives your delegated admin the ability to reset users' passwords. |
| Set users' temporary password | Gives your delegated admin the ability to expire a user’s password and set a new temporary password. |
| View users and their details | Gives your delegated admin the ability to read users' profile and credential information. |
| Edit users' group membership |
Gives your delegated admin the ability to manage a users' group membership. Select this permission to grant your delegated admin the ability to add user to a group.
Your delegated admin also needs to have the Manage group membership permission from the Group permissions section for the group they can add a user to. |
| Edit users’ application assignments | Gives your delegated admin the ability to manage a user's application assignment. Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section to view and select the applications they can add to the user. |
You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:
- Create users
- Manage users' authenticator operations
- Edit users' profile attributes
- Manage group membership
Group permissions
|
Permission |
Description |
|---|---|
| Manage groups | Gives your delegated admin the ability to view, create, edit, and delete groups in your Okta organization. |
| Create groups | Gives your delegated admin the ability to create groups provided that their admin role assignment is constrained to the entire org. |
| View groups | Gives your delegated admin the ability to only view groups and the users and applications assigned to that group in your Okta organization. |
| Manage group membership |
Gives your delegated admin the ability to view, edit, and delete user membership within group
in your Okta organization.
Your delegated admin also needs have the Edit users' group membership permission from the User permissions section to view and select which users they can add to the group. |
| Edit group’s application assignments |
Gives your delegated admin the ability to manage a group’s application assignment.
Your delegated admin also needs to have the Edit application's user assignments permission from the Application permissions section to view and select the applications they can add to the group. |
Application permissions
|
Permission |
Description |
|---|---|
| Manage applications | Gives your delegated admin the ability to view, create, edit, and delete applications in your Okta organization. |
| View applications and their details | Gives your delegated admin the ability to only view applications assigned to your Okta organization. |
|
View provisioning error tasks |
Gives your delegated admin the ability to view the following provisioning error tasks:
See Monitor your tasks. |
| Edit application's user assignments |
Gives your delegated admin the ability to manage the users assigned to the application.
Your delegated admin also needs to have either the Edit groups' application assignments permission from the Group permissions section or Edit users' application assignments permission from the User permissions section to view and select which users or groups of users they can add to the application. |
Profile source permissions
|
Permission |
Description |
|---|---|
| Run imports | Gives your delegated admin the ability to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import.
Your delegated admin will need the Edit users' profile attributes permission from the User permissions section to modify any existing users who are included in the import. |
Workflow permissions
|
Permission |
Description |
|---|---|
| Run delegated flow | Gives your delegated admin the ability to run flows from within the Admin Console. |
| View delegated flow |
Gives your delegated admin the ability to only view flows from within the Admin Console.
Early Access release. See Manage Early Access and Beta features. |
Authorization server permissions
|
Permission |
Description |
|---|---|
| Manage authorization server | Gives your delegated admin the ability to view, create, edit, and delete authorization servers in your Okta organization. |
| View authorization server | Gives your delegated admin the ability to only view the authorization servers in your Okta organization. |
Customization permissions
|
Permission |
Description |
|---|---|
| Manage customizations | Gives your delegated admin the ability to view, create, edit, and delete branding customizations in your Okta organization. |
| View customizations | Gives your delegated admin the ability to only view the branding customizations in your Okta organization. |
Directories permissions
|
Permission |
Description |
|---|---|
| Manage directories | Gives your delegated admin the ability to view, create, edit and delete directory integration applications in your Okta organization. Managing application user assignments and running imports for such applications may require additional permissions for users and groups. |
| View directories | Gives your delegated admin the ability to only view the directory integration applications and their details. |
Identity provider permissions
Early Access release. See Manage Early Access and Beta features.
|
Permission |
Description |
|---|---|
| Manage identity providers | Gives your delegated admin the ability to view, create, edit and delete IdP configurations. |
| View identity providers | Gives your delegated admin the ability to only view IdP configurations. |
Devices permissions
Early Access release. See Manage Early Access and Beta features.
|
Permission |
Description |
|---|---|
| Manage devices | Gives your delegated admin the ability to view, suspend, unsuspend, activate, deactivate, and delete devices in your Okta organization. |
| View devices | Gives your delegated admin the ability to view devices in your Okta organization. |
| Activate devices | Gives your delegated admin the ability to view and activate devices in your Okta organization. |
| Deactivate devices | Gives your delegated admin the ability to view and deactivate devices in your Okta organization. If your delegated admin deactivates a device, enrolled factors on the device are deactivated and users must re-enroll factors on the device when it's activated. See Device lifecycle for more information about deactivating and reactivating devices. |
| Suspend devices | Gives your delegated admin the ability to view and suspend devices in your Okta organization. |
| Unsuspend devices | Gives your delegated admin the ability to view and unsuspend devices in your Okta organization. |
| Delete devices | Gives your delegated admin the ability to view and delete devices in your Okta organization. |