Permissions

Permissions allow the principal to perform tasks and access resources in Okta. When you create a custom role, you can define a specific set of permissions to access specific resources. Principals assigned to the custom role are limited to the specific permissions and resources defined.

See the permissions catalog for a complete set of Okta permissions. Each permission entry describes the permission with references to applicable resources, included permissions, and related permissions:

Applicable resources: Resources that apply to the granted permission. For example, the okta.users.read permission grants you access to read Okta user resources.
Included permissions: Permissions that are implicitly granted through the main permission. For example, the okta.agents.manage permission also includes the okta.agents.read permission. Therefore, if you grant the okta.agents.manage permission to a user, the user is also granted the okta.agents.read permission.
Related permissions: Okta recommends that you grant any related permission along with the main permission for the typical use case requiring the main permission. The principal may experience unintended behaviors if you don't also grant the related permission.

Some Okta API resource operations indicate the permissions required to access the operation for common use cases. See IAM access to API resources.

Notes:
Governance permissions are only supported as part of the IAM-based standard roles. You can't use these to create or update custom roles.
The okta.apps.manageFirstPartyApps permission is only supported as part of some IAM-based standard roles. You can't use it to create or update custom roles.
The okta.devices.* permissions are self-service Early Access. Turn on the Enable custom admin roles for device permissions feature from the Settings > Feature page in the Admin Console to access these permissions. See Enable self-service features.

Permissions conditions

You can also add conditions to certain permissions. These conditions modify which attributes an admin with a custom role can create, see, or edit in a user profile. See Permission conditions.

You can add conditions if the custom admin role has one of the following permissions:

Permissions catalog

The following permissions are supported in Okta.

okta.agents.manage


Description	Allows the admin to manage agent communication and agent updates
Applicable resources	All agents
Included permissions	okta.agents.read

okta.agents.read


Description	Allows the admin to download agents and view agent statuses
Applicable resources	All agents

okta.agents.register


Description	Allows the admin to register agents and domains
Applicable resources	All agents
Related permissions	okta.agents.manage

okta.apps.assignment.manage


Description	Allows the admin to manage assignment operations of an app in your Okta org and view the following provisioning errors: app assignment, group push mapping, and Error Profile push updates.
Applicable resources	All apps, all apps of a specific type, a specific app

okta.apps.clientCredentials.read


Description	Allows the admin to view information about client credentials for the app
Applicable resources	All apps, all apps of a specific type, a specific app

okta.apps.manage


Description	Allows the admin to fully manage apps and their members in your Okta org
Applicable resources	All apps, all apps of a specific type, a specific app
Included permissions	okta.apps.read, okta.apps.assignment.manage, okta.apps.clientCredentials.read

okta.apps.manageFirstPartyApps


Description	Allows the admin to manage first-party apps
Applicable resources	All access requests
Related permissions	okta.apps.read

okta.apps.read


Description	Allows the admin to only read information about apps and their members in your Okta org
Applicable resources	All apps, all apps of a specific type, a specific app

okta.apps.universalLogout.manage


Description	Allows the admin to manage universal logout settings for apps
Applicable resources	All apps, all apps of a specific type, a specific app
Included permissions	okta.apps.universalLogout.read
Release Version	2025.11.0

okta.apps.universalLogout.read


Description	Allows the admin to view universal logout settings for apps
Applicable resources	All apps, all apps of a specific type, a specific app
Release Version	2025.11.0

okta.authzServers.manage


Description	Allows the admin to manage authorization servers
Applicable resources	All authorization servers, a specific authorization server

okta.authzServers.read


Description	Allows the admin to read authorization servers
Applicable resources	All authorization servers, a specific authorization server

okta.customizations.manage


Description	Allows the admin to manage customizations
Applicable resources	All customizations
Included permissions	okta.customizations.read

okta.customizations.read


Description	Allows the admin to read customizations
Applicable resources	All customizations

okta.devices.lifecycle.activate


Description	Allows the admin to activate devices
Applicable resources	All devices

okta.devices.lifecycle.deactivate


Description	Allows the admin to deactivate devices. When you deactivate a device, it loses all device user links.
Applicable resources	All devices

okta.devices.lifecycle.delete


Description	Allows the admin to permanently delete devices
Applicable resources	All devices

okta.devices.lifecycle.manage


Description	Allows the admin to perform any device lifecycle operations
Applicable resources	All devices
Included permissions	okta.devices.lifecycle.activate, okta.devices.lifecycle.deactivate, okta.devices.lifecycle.suspend, okta.devices.lifecycle.unsuspend, okta.devices.lifecycle.delete

okta.devices.lifecycle.suspend


Description	Allows the admin to suspend device access to Okta
Applicable resources	All devices

okta.devices.lifecycle.unsuspend


Description	Allows the admin to unsuspend and restore device access to Okta
Applicable resources	All devices

okta.devices.manage


Description	Allows the admin to manage devices and perform all device lifecycle operations
Applicable resources	All devices
Included permissions	okta.devices.read, okta.devices.lifecycle.manage

okta.devices.read


Description	Allows the admin to read device details
Applicable resources	All devices

okta.directories.manage


Description	Allows the admin to manage all directory integration settings of an app instance
Applicable resources	All directory integrations, a specific type of directory integration, a specific directory integration
Included permissions	okta.directories.read

okta.directories.read


Description	Allows the admin to view the directory integration settings of an app instance
Applicable resources	All directory integrations, a specific type of directory integration, a specific directory integration

okta.eventhooks.manage


Description	Allows the admin to manage event hooks in your Okta org
Applicable resources	All event hooks
Included permissions	okta.eventhooks.read
Release Version	2025.12.0

okta.eventhooks.read


Description	Allows the admin to view event hooks in your Okta org
Applicable resources	All event hooks
Release Version	2025.12.0

okta.governance.accessCertifications.manage


Description	Allows the admin to view and manage access certification campaigns
Applicable resources	All access certifications

okta.governance.accessRequests.manage


Description	Allows the admin to view and manage access requests
Applicable resources	All access requests

okta.governance.labels.manage


Description	Allows the admin to create, update, delete and assign labels in your org
Applicable resources	All apps, all groups, all governance collections, all entitlement bundles, all entitlement values
Included permissions	okta.governance.labels.read
Release Version	2025.12.0

okta.governance.labels.read


Description	Allows the admin to view labeled resources in your org.
Applicable resources	All apps, all groups, all governance collections, all entitlement bundles, all entitlement values
Release Version	2025.12.0

okta.groups.appAssignment.manage


Description	Allows the admin to manage a group's app assignment (also need `okta.apps.assignment.manage` to assign to a specific app)
Applicable resources	All groups, a specific group

okta.groups.create


Description	Allows the admin to create groups
Applicable resources	All groups

okta.groups.manage


Description	Allows the admin to fully manage groups in your Okta org
Applicable resources	All groups, a specific group
Included permissions	okta.groups.create, okta.groups.read, okta.groups.members.manage, okta.groups.appAssignment.manage

okta.groups.members.manage


Description	Allows the admin to only manage member operations in a group in your Okta org
Applicable resources	All groups, a specific group
Related permissions	okta.users.groupMembership.manage

okta.groups.read


Description	Allows the admin to only read information about groups and their members in your Okta org
Applicable resources	All groups, a specific group

okta.iam.read


Description	Allows the admin to view roles, resources, and admin assignments
Applicable resources	All Identity and Access Management resources

okta.identityProviders.manage


Description	Allows the admin to manage Identity Providers
Applicable resources	All Identity Providers
Included permissions	okta.identityProviders.read

okta.identityProviders.read


Description	Allows the admin to read Identity Providers
Applicable resources	All Identity Providers

okta.inlinehooks.manage


Description	Allows the admin to manage inline hooks in your Okta org
Applicable resources	All inline hooks
Included permissions	okta.inlinehooks.read
Release Version	2025.12.0

okta.inlinehooks.read


Description	Allows the admin to view inline hooks in your Okta org
Applicable resources	All inline hooks
Release Version	2025.12.0

okta.policies.manage


Description	Allows the admin to manage policies
Applicable resources	All policies
Included permissions	okta.policies.read
Release Version	2025.05.0

okta.policies.read


Description	Allows the admin to view any policy
Applicable resources	All policies
Release Version	2025.05.0

okta.profilesources.import.run


Description	Allows the admin to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import.
Applicable resources	All apps, all apps of a specific type, a specific app

okta.realms.manage


Description	Allows the admin to view, create, and manage realms
Applicable resources	All realm resources
Included permissions	okta.realms.read

okta.realms.read


Description	Allows the admin to view realms
Applicable resources	All realm resources

okta.ssf.securityEventsProviders.manage


Description	Allows the admin to manage shared signals framework receivers
Applicable resources	All shared signals framework receivers
Included permissions	okta.ssf.securityEventsProviders.read
Release Version	2025.05.0

okta.ssf.securityEventsProviders.read


Description	Allows the admin to view shared signals framework receivers
Applicable resources	All shared signals framework receivers
Release Version	2025.05.0

okta.support.cases.manage


Description	Allows the admin to view, create, and manage Okta Support cases
Applicable resources	All Okta Support cases opened by the admin

okta.users.apitokens.clear


Description	Allows the admin to clear user API tokens
Applicable resources	All users, all users within a specific group
Release Version	2025.05.0

okta.users.apitokens.manage


Description	Allows the admin to manage API tokens
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.apitokens.read, okta.users.apitokens.clear

okta.users.apitokens.read


Description	Allows the admin to view API tokens
Applicable resources	All users, all users within a specific group

okta.users.appAssignment.manage


Description	Allows the admin to manage a user's app assignment (also need `okta.apps.assignment.manage` to assign to a specific app)
Applicable resources	All users, all users within a specific group

okta.users.create


Description	Allows the admin to create users. If the admin is also scoped to manage a group, that admin can add the user to the group on creation and then manage.
Applicable resources	All groups, a specific group

okta.users.credentials.expirePassword


Description	Allows the admin to expire a user's password and set a new temporary password
Applicable resources	All users, all users within a specific group

okta.users.credentials.manage


Description	Allows the admin to manage only credential lifecycle operations for a user
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.credentials.resetFactors, okta.users.credentials.resetPassword, okta.users.credentials.expirePassword

okta.users.credentials.manageTemporaryAccessCode


Description	Allows admin to view, create and delete a user's temporary access code
Applicable resources	All users, all users within a specific group
Release Version	2025.07.2

okta.users.credentials.resetFactors


Description	Allows the admin to reset MFA authenticators for users
Applicable resources	All users, all users within a specific group

okta.users.credentials.resetPassword


Description	Allows the admin to reset passwords for users
Applicable resources	All users, all users within a specific group

okta.users.groupMembership.manage


Description	Allows the admin to manage a user's group membership (also need `okta.groups.members.manage` to assign to a specific group)
Applicable resources	All users, all users within a specific group
Related permissions	okta.groups.members.manage

okta.users.lifecycle.activate


Description	Allows the admin to activate user accounts
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.clearSessions


Description	Allows the admin to clear all active Okta sessions and OAuth 2.0 tokens for a user
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.deactivate


Description	Allows the admin to deactivate user accounts
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.delete


Description	Allows the admin to permanently delete user accounts
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.manage


Description	Allows the admin to perform any user lifecycle operations
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.lifecycle.activate, okta.users.lifecycle.deactivate, okta.users.lifecycle.suspend, okta.users.lifecycle.unsuspend, okta.users.lifecycle.delete, okta.users.lifecycle.unlock, okta.users.lifecycle.clearSessions

okta.users.lifecycle.suspend


Description	Allows the admin to suspend user access to Okta. When a user is suspended, their user sessions are also cleared.
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.unlock


Description	Allows the admin to unlock users who have been locked out of Okta
Applicable resources	All users, all users within a specific group

okta.users.lifecycle.unsuspend


Description	Allows the admin to restore user access to Okta
Applicable resources	All users, all users within a specific group

okta.users.manage


Description	Allows the admin to create and manage users and read all profile and credential information for users. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.create, okta.users.read

okta.users.read


Description	Allows the admin to read any user's profile and credential information. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
Applicable resources	All users, all users within a specific group

okta.users.risk.manage


Description	Allows the admin to provide user risk feedback and elevate user risk
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.risk.read
Release Version	2025.05.0

okta.users.risk.read


Description	Allows the admin to view user risk
Applicable resources	All users, all users within a specific group
Release Version	2025.05.0

okta.users.userprofile.manage


Description	Allows the admin to only perform operations on the user object, including hidden and sensitive attributes
Applicable resources	All users, all users within a specific group
Included permissions	okta.users.userprofile.read

okta.users.userprofile.read


Description	Allows the admin to view profile of a user
Applicable resources	All users, all users within a specific group
Release Version	2025.08.0

okta.workflows.invoke


Description	Allows the admin to view and run delegated flows
Applicable resources	All delegated flows, a specific delegated flow

okta.workflows.read


Description	Allows the admin to view delegated flows
Applicable resources	All delegated flows, a specific delegated flow