Permissions allow the principal to perform tasks and access resources in Okta. When you create a custom role, you can define a specific set of permissions to access specific resources. Principals assigned to the custom role are limited to the specific permissions and resources defined.
See the permissions catalog for a complete set of Okta permissions. Each permission entry describes the permission with references to applicable resources, included permissions, and related permissions:
Applicable resources: Resources that apply to the granted permission. For example, the okta.users.read permission grants you access to read Okta user resources.
Included permissions: Permissions that are implicitly granted through the main permission. For example, the okta.agents.manage permission also includes the okta.agents.read permission. Therefore, if you grant the okta.agents.manage permission to a user, the user is also granted the okta.agents.read permission.
Related permissions: Okta recommends that you grant any related permission along with the main permission for the typical use case requiring the main permission. The principal may experience unintended behaviors if you don't also grant the related permission.
Some Okta API resource operations indicate the permissions required to access the operation for common use cases. See IAM access to API resources.
Notes:
You can also add conditions to certain permissions. These conditions modify which attributes an admin with a custom role can create, see, or edit in a user profile. See Permission conditions.
You can add conditions if the custom admin role has one of the following permissions:
The following permissions are supported in Okta.
| |
|---|
| Description | Allows the admin to manage integration agent communication and integration agent updates |
| Applicable resources | All integration agents |
| Included permissions | okta.agents.read |
| |
|---|
| Description | Allows the admin to download integration agents and view integration agent statuses |
| Applicable resources | All integration agents |
| |
|---|
| Description | Allows the admin to register integration agents and domains |
| Applicable resources | All integration agents |
| Related permissions | okta.agents.manage |
| |
|---|
| Description | Allows the admin to manage assignment operations of an app in your Okta org and view the following provisioning errors: app assignment, group push mapping, and Error Profile push updates. |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| |
|---|
| Description | Allows the admin to view information about client credentials for the app |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| |
|---|
| Description | Allows the admin to manage first-party apps |
| Applicable resources | All access requests |
| Related permissions | okta.apps.read |
| |
|---|
| Description | Allows the admin to only read information about apps and their members in your Okta org |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| |
|---|
| Description | Allows the admin to manage universal logout settings for apps |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| Included permissions | okta.apps.universalLogout.read |
| Release Version | 2025.11.0 |
| |
|---|
| Description | Allows the admin to view universal logout settings for apps |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| Release Version | 2025.11.0 |
| |
|---|
| Description | Allows the admin to manage authorization servers |
| Applicable resources | All authorization servers, a specific authorization server |
| |
|---|
| Description | Allows the admin to read authorization servers |
| Applicable resources | All authorization servers, a specific authorization server |
| |
|---|
| Description | Allows the admin to manage customizations |
| Applicable resources | All customizations |
| Included permissions | okta.customizations.read |
| |
|---|
| Description | Allows the admin to read customizations |
| Applicable resources | All customizations |
| |
|---|
| Description | Allows the admin to activate devices |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to deactivate devices. When you deactivate a device, it loses all device user links. |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to permanently delete devices |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to suspend device access to Okta |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to unsuspend and restore device access to Okta |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to read device details |
| Applicable resources | All devices |
| |
|---|
| Description | Allows the admin to manage all directory integration settings of an app instance |
| Applicable resources | All directory integrations, a specific type of directory integration, a specific directory integration |
| Included permissions | okta.directories.read |
| |
|---|
| Description | Allows the admin to view the directory integration settings of an app instance |
| Applicable resources | All directory integrations, a specific type of directory integration, a specific directory integration |
| |
|---|
| Description | Allows the admin to manage event hooks in your Okta org |
| Applicable resources | All event hooks |
| Included permissions | okta.eventhooks.read |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to view event hooks in your Okta org |
| Applicable resources | All event hooks |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to view and manage access certification campaigns |
| Applicable resources | All access certifications |
| |
|---|
| Description | Allows the admin to view and manage access requests |
| Applicable resources | All access requests |
| |
|---|
| Description | Allows the admin to create, update, delete and assign labels in your org |
| Applicable resources | All apps, all groups, all governance collections, all entitlement bundles, all entitlement values |
| Included permissions | okta.governance.labels.read |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to view labeled resources in your org. |
| Applicable resources | All apps, all groups, all governance collections, all entitlement bundles, all entitlement values |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to manage a group's app assignment (also need okta.apps.assignment.manage to assign to a specific app) |
| Applicable resources | All groups, a specific group |
| |
|---|
| Description | Allows the admin to create groups |
| Applicable resources | All groups |
| |
|---|
| Description | Allows the admin to only manage member operations in a group in your Okta org |
| Applicable resources | All groups, a specific group |
| Related permissions | okta.users.groupMembership.manage |
| |
|---|
| Description | Allows the admin to only read information about groups and their members in your Okta org |
| Applicable resources | All groups, a specific group |
| |
|---|
| Description | Allows the admin to view roles, resources, and admin assignments |
| Applicable resources | All Identity and Access Management resources |
| |
|---|
| Description | Allows the admin to manage Identity Providers |
| Applicable resources | All Identity Providers |
| Included permissions | okta.identityProviders.read |
| |
|---|
| Description | Allows the admin to read Identity Providers |
| Applicable resources | All Identity Providers |
| |
|---|
| Description | Allows the admin to manage inline hooks in your Okta org |
| Applicable resources | All inline hooks |
| Included permissions | okta.inlinehooks.read |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to view inline hooks in your Okta org |
| Applicable resources | All inline hooks |
| Release Version | 2025.12.0 |
| |
|---|
| Description | Allows the admin to manage policies |
| Applicable resources | All policies |
| Included permissions | okta.policies.read |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to view any policy |
| Applicable resources | All policies |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import. |
| Applicable resources | All apps, all apps of a specific type, a specific app |
| |
|---|
| Description | Allows the admin to view, create, and manage realms |
| Applicable resources | All realm resources |
| Included permissions | okta.realms.read |
| |
|---|
| Description | Allows the admin to view realms |
| Applicable resources | All realm resources |
| |
|---|
| Description | Allows the admin to manage shared signals framework receivers |
| Applicable resources | All shared signals framework receivers |
| Included permissions | okta.ssf.securityEventsProviders.read |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to view shared signals framework receivers |
| Applicable resources | All shared signals framework receivers |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to view, create, and manage Okta Support cases |
| Applicable resources | All Okta Support cases opened by the admin |
| |
|---|
| Description | Allows the admin to clear user API tokens |
| Applicable resources | All users, all users within a specific group |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to view API tokens |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to manage a user's app assignment (also need okta.apps.assignment.manage to assign to a specific app) |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to create users. If the admin is also scoped to manage a group, that admin can add the user to the group on creation and then manage. |
| Applicable resources | All groups, a specific group |
| |
|---|
| Description | Allows the admin to expire a user's password and set a new temporary password |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows admin to view, create and delete a user's temporary access code |
| Applicable resources | All users, all users within a specific group |
| Release Version | 2025.07.2 |
| |
|---|
| Description | Allows the admin to reset MFA authenticators for users |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to reset passwords for users |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to manage a user's group membership (also need okta.groups.members.manage to assign to a specific group) |
| Applicable resources | All users, all users within a specific group |
| Related permissions | okta.groups.members.manage |
| |
|---|
| Description | Allows the admin to activate user accounts |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to clear all active Okta sessions and OAuth 2.0 tokens for a user |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to deactivate user accounts |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to permanently delete user accounts |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to suspend user access to Okta. When a user is suspended, their user sessions are also cleared. |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to unlock users who have been locked out of Okta |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to restore user access to Okta |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to create and manage users and read all profile and credential information for users. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. |
| Applicable resources | All users, all users within a specific group |
| Included permissions | okta.users.create, okta.users.read |
| |
|---|
| Description | Allows the admin to read any user's profile and credential information. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. |
| Applicable resources | All users, all users within a specific group |
| |
|---|
| Description | Allows the admin to provide user risk feedback and elevate user risk |
| Applicable resources | All users, all users within a specific group |
| Included permissions | okta.users.risk.read |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to view user risk |
| Applicable resources | All users, all users within a specific group |
| Release Version | 2025.05.0 |
| |
|---|
| Description | Allows the admin to only perform operations on the user object, including hidden and sensitive attributes |
| Applicable resources | All users, all users within a specific group |
| Included permissions | okta.users.userprofile.read |
| |
|---|
| Description | Allows the admin to view profile of a user |
| Applicable resources | All users, all users within a specific group |
| Release Version | 2025.08.0 |
| |
|---|
| Description | Allows the admin to view and run delegated flows |
| Applicable resources | All delegated flows, a specific delegated flow |
| |
|---|
| Description | Allows the admin to view delegated flows |
| Applicable resources | All delegated flows, a specific delegated flow |