Permissions allow the principal to perform tasks and access resources in Okta. When you create a custom role, you can define a specific set of permissions to access specific resources.
Principals assigned to the custom role are limited to the specific permissions and resources defined.
See the permissions catalog for a complete set of Okta permissions. Each permission entry describes the permission with references to applicable resources, included permissions, and related permissions:
Applicable resources:
Resources that apply to the granted permission. For example, the
okta.users.read
permission grants you access to read Okta user resources.
Included permissions:
Permissions implicitly granted through the main permission. For example, the
okta.agents.manage
permission also includes the
okta.agents.read
permission. Therefore, if you grant the
okta.agents.manage
permission to a user, the user is also granted the
okta.agents.read
permission.
Related permissions:
Okta recommends that you grant any related permission along with the main permission for the typical use case requiring the main permission. The principal may experience unintended behaviors if you don't also grant the related permission.
Some Okta API resource operations indicate the minimum permissions required to access the operation for common use cases. See IAM access to API resources.
Notes:
Governance permissions are currently only supported as part of the
IAM-based standard roles
. You can't use these to create or update custom roles.
The
okta.devices.*
permissions are self-service
Early Access
. Turn on the
Enable custom admin roles for device permissions
feature from the
Settings
>
Feature
page in the Admin Console to access these permissions. See
Enable self-service features
.
Permissions catalog
The following permissions are supported in Okta.
okta.agents.manage
Description
Allows the admin to manage agent communication and agent updates
Allows the admin to manage assignment operations of an app in your Okta org and view the following provisioning errors: app assignment, group push mapping, and Error Profile push updates.
Applicable resources
All apps, all apps of a specific type, a specific app
okta.apps.clientCredentials.read
Description
Allows the admin to view information about client credentials for the app
Applicable resources
All apps, all apps of a specific type, a specific app
okta.apps.manage
Description
Allows the admin to fully manage apps and their members in your Okta org
Applicable resources
All apps, all apps of a specific type, a specific app
Allows the admin to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import.
Applicable resources
All apps, all apps of a specific type, a specific app
okta.realms.manage
Description
Allows the admin to view, create, and manage realms
Allows the admin to suspend user access to Okta. When a user is suspended, their user sessions are also cleared.
Applicable resources
All users, all users within a specific group
okta.users.lifecycle.unlock
Description
Allows the admin to unlock users who have been locked out of Okta
Applicable resources
All users, all users within a specific group
okta.users.lifecycle.unsuspend
Description
Allows the admin to restore user access to Okta
Applicable resources
All users, all users within a specific group
okta.users.manage
Description
Allows the admin to create and manage users and read all profile and credential information for users. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
Allows the admin to read any user's profile and credential information. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
Applicable resources
All users, all users within a specific group
okta.users.userprofile.manage
Description
Allows the admin to only perform operations on the user object, including hidden and sensitive attributes