Roles in Okta
Role assignment to principals grants them a specific set of access privileges. Principals can be users, groups of users, or client apps. When a role is assigned to a group, all members of the group automatically have the privileges granted by the role.
Roles can be one of the following types:
-
Standard roles
, which are provided by default in your Okta org
For standard role assignments, see the User Role Assignments , Group Role Assignments , and Client Role Assignments API. -
Custom roles
, which you create in your Okta org with a collection of available
permissions
and bind to
resources
For custom role assignments, see Create a Custom Role , Create a resource set , and Create a resource set binding .
Standard roles
| Role | Label | Optional targets |
|---|---|---|
API_ACCESS_MANAGEMENT_ADMIN |
API Access Management administrator | |
APP_ADMIN |
Application administrator | Applications |
GROUP_MEMBERSHIP_ADMIN |
Group membership administrator | Groups |
HELP_DESK_ADMIN |
Help desk administrator | Groups |
MOBILE_ADMIN |
Mobile administrator | |
ORG_ADMIN |
Organization administrator | |
READ_ONLY_ADMIN |
Read-only administrator | |
REPORT_ADMIN |
Report administrator | |
SUPER_ADMIN |
Super administrator | |
USER_ADMIN |
Group administrator | Groups |
IAM-based standard roles
You can assign IAM-based standard roles. These roles are immutable. You can't update or delete them.
| Role | Label | Permissions |
|---|---|---|
ACCESS_CERTIFICATIONS_ADMIN |
Access certifications administrator | okta.governance.accessCertifications.manage |
ACCESS_REQUESTS_ADMIN |
Access requests administrator | okta.governance.accessRequests.manage |
Permissions
The following permissions are supported in Okta.
Notes:
- Governance permissions are currently only supported as part of the Standard IAM-based Roles . You can't use these to create or update other roles.
okta.apps.manageFirstPartyAppspermission is only supported as part of some Standard IAM-based Roles . You can't use it to create or update other roles.okta.devices.*permissions are self-service Early Access . Turn on the Enable custom admin roles for device permissions feature from the Settings > Feature page in the Admin Console to access these permissions. See Manage Early Access and Beta features .
Permission |
Description | Applicable resources |
|---|---|---|
okta.users.manage |
Allows the admin to create and manage Users and read all profile and credential information for Users. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. | All Users, all Users within a specific Group |
okta.users.create |
Allows the admin to create Users. If the admin is also scoped to manage a Group, that admin can add the User to the Group on creation and then manage. | All Groups, a specific Group |
okta.users.read |
Allows the admin to read any User's profile and credential information. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. | All Users, all Users within a specific Group |
okta.users.credentials.manage |
Allows the admin to manage only credential lifecycle operations for a User | All Users, all Users within a specific Group |
okta.users.credentials.resetFactors |
Allows the admin to reset MFA authenticators for Users | All Users, all Users within a specific Group |
okta.users.credentials.resetPassword |
Allows the admin to reset passwords for Users | All Users, all Users within a specific Group |
okta.users.credentials.expirePassword |
Allows the admin to expire a user's password and set a new temporary password | All Users, all Users within a specific Group |
okta.users.userprofile.manage |
Allows the admin to only perform operations on the User object, including hidden and sensitive attributes | All Users, all Users within a specific Group |
okta.users.lifecycle.manage |
Allows the admin to perform any User lifecycle operations | All Users, all Users within a specific Group |
okta.users.lifecycle.activate |
Allows the admin to activate user accounts | All Users, all Users within a specific Group |
okta.users.lifecycle.deactivate |
Allows the admin to deactivate user accounts | All Users, all Users within a specific Group |
okta.users.lifecycle.suspend |
Allows the admin to suspend user access to Okta. When a user is suspended, their user sessions are also cleared. | All Users, all Users within a specific Group |
okta.users.lifecycle.unsuspend |
Allows the admin to restore user access to Okta | All Users, all Users within a specific Group |
okta.users.lifecycle.delete |
Allows the admin to permanently delete user accounts | All Users, all Users within a specific Group |
okta.users.lifecycle.unlock |
Allows the admin to unlock users who have been locked out of Okta | All Users, all Users within a specific Group |
okta.users.lifecycle.clearSessions |
Allows the admin to clear all active Okta sessions and OAuth tokens for a user | All Users, all Users within a specific Group |
okta.users.groupMembership.manage |
Allows the admin to manage a user's group membership (also need okta.groups.members.manage to assign to a specific Group) |
All Users, all Users within a specific Group |
okta.users.appAssignment.manage |
Allows the admin to manage a user's app assignment (also need okta.apps.assignment.manage to assign to a specific App) |
All Users, all Users within a specific Group |
okta.users.apitokens.manage |
Allows the admin to manage API tokens | All Users, all Users within a specific Group |
okta.users.apitokens.read |
Allows the admin to view API tokens | All Users, all Users within a specific Group |
okta.groups.manage |
Allows the admin to fully manage Groups in your Okta org | All Groups, a specific Group |
okta.groups.create |
Allows the admin to create Groups | All Groups |
okta.groups.members.manage |
Allows the admin to only manage member operations in a Group in your Okta org | All Groups, a specific Group |
okta.groups.read |
Allows the admin to only read information about Groups and their members in your Okta org | All Groups, a specific Group |
okta.groups.appAssignment.manage |
Allows the admin to manage a Group's app assignment (also need okta.apps.assignment.manage to assign to a specific App) |
All Groups, a specific Group |
okta.apps.read |
Allows the admin to only read information about apps and their members in your Okta org | All Applications, All Applications of specific type, a specific App |
okta.apps.manage |
Allows the admin to fully manage apps and their members in your Okta org | All Applications, All Applications of specific type, a specific Application |
okta.apps.assignment.manage |
Allows the admin to manage assignment operations of an app in your Okta org and view the following provisioning errors: Application assignment, Group push mapping, and Error Profile push updates. | All Applications, All Applications of specific type, a specific Application |
okta.profilesources.import.run |
Allows the admin to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import. | All Applications, All Applications of specific type, a specific Application |
okta.authzServers.read |
Allows the admin to read authorization servers | All Authorization Servers, a specific Authorization Server |
okta.authzServers.manage |
Allows the admin to manage authorization servers | All Authorization Servers, a specific Authorization Server |
okta.customizations.read |
Allows the admin to read customizations | All Customizations |
okta.customizations.manage |
Allows the admin to manage customizations | All Customizations |
okta.identityProviders.read |
Allows the admin to read Identity Providers | All Identity Providers |
okta.identityProviders.manage |
Allows the admin to manage Identity Providers | All Identity Providers |
okta.workflows.read |
Allows the admin to view delegated flows | All Delegated Flows, a specific Delegated Flow |
okta.workflows.invoke |
Allows the admin to view and run delegated flows | All Delegated Flows, a specific Delegated Flow |
okta.governance.accessCertifications.manage |
Allows the admin to view and manage access certification campaigns | All Access Certifications |
okta.governance.accessRequests.manage |
Allows the admin to view and manage Access Requests | All Access Requests |
okta.apps.manageFirstPartyApps |
Allows the admin to manage first-party apps | All Access Requests |
okta.agents.manage |
Allows the admin to manage agent communication and agent updates | All Agents |
okta.agents.register |
Allows the admin to register agents and domains | All Agents |
okta.agents.view |
Allows the admin to download agents and view agent statuses | All Agents |
okta.directories.manage |
Allows the admin to manage all directory integration settings of an app instance | All Directory Integrations, a specific type of directory integration, a specific directory integration |
okta.directories.read |
Allows the admin to view the directory integration settings of an app instance | All Directory Integrations, a specific type of Directory Integration, a specific Directory Integration |
okta.devices.manage |
Allows the admin to manage devices and perform all device lifecycle operations | All Devices |
okta.devices.lifecycle.manage |
Allows the admin to perform any device lifecycle operations | All Devices |
okta.devices.lifecycle.activate |
Allows the admin to activate devices | All Devices |
okta.devices.lifecycle.deactivate |
Allows the admin to deactivate devices. When you deactivate a device, it loses all device user links. | All Devices |
okta.devices.lifecycle.suspend |
Allows the admin to suspend device access to Okta | All Devices |
okta.devices.lifecycle.unsuspend |
Allows the admin to unsuspend and restore device access to Okta | All Devices |
okta.devices.lifecycle.delete |
Allows the admin to permanently delete devices | All Devices |
okta.devices.read |
Allows the admin to read device details | All Devices |
okta.iam.read |
Allows the admin to view roles, resources, and admin assignments | All Identity and Access Management resources |
okta.support.cases.manage |
Allows the admin to view, create, and manage Okta Support cases | All Okta Support cases opened by the admin |
Resources
Okta resources are identified by either an Okta Resource Name (ORN) or an Okta API REST URL.
Note: Not all Okta resources have a corresponding Okta API.
Okta Resource Name (ORN)
The Okta Resource Name (ORN) uniquely identifies an Okta resource and has the following formats:
-
orn:{partition}:{service}:{yourOrgId}:{objectType}:{objectId}:contained_resources -
orn:{partition}:{service}:{yourOrgId}:{objectType}:{appName}:{objectId} -
orn:{partition}:{service}:{yourOrgId}:contained_resources
where
| ORN variable | Description |
|---|---|
{partition} |
The Okta environment partition specific to your org (oktapreview for Preview environments and okta for Production environments) |
{service} |
The service that the resource belongs to |
{yourOrgId} |
The identifier for the tenant that's using the service. This is typically your org ID. |
{objectType} |
The resource object that belongs to the service category |
{objectId} |
The specific object identifier for objectType. For example, if you want to define a specific group for your resource, use orn:{partition}:directory:{yourOrgId}:groups:{groupId}. |
{appName} |
The key name that describes the app definition. For example, if you want to define all apps with a specific app definition for your resource, use orn:{partition}:idp:{yourOrgId}:apps:{appName}. |
contained_resource |
An optional literal that targets all resources within the container resource (only for supported resources). For example, orn:{partition}:directory:{yourOrgId}:groups:{groupId}:contained_resources targets all users within a specific group. |
Supported resources
Directory service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All Users | orn:{partition}:directory:{yourOrgId}:users |
https://{yourOktaDomain}/api/v1/users |
| All Groups | orn:{partition}:directory:{yourOrgId}:groups |
https://{yourOktaDomain}/api/v1/groups |
| A specific Group | orn:{partition}:directory:{yourOrgId}:groups:{groupId} |
https://{yourOktaDomain}/api/v1/groups/{groupId} |
| All Users within a specific Group | orn:{partition}:directory:{yourOrgId}:groups:{groupId}:contained_resources |
https://{yourOktaDomain}/api/v1/groups/{groupId}/users |
| All Devices |
orn:{partition}:directory:{yourOrgId}:devices |
https://{yourOktaDomain}/api/v1/devices |
Identity Provider service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All Applications | orn:{partition}:idp:{yourOrgId}:apps |
https://{yourOktaDomain}/api/v1/apps |
| All Identity Providers |
orn:{partition}:idp:{yourOrgId}:identity_provider |
https://{yourOktaDomain}/api/v1/idps |
| All Applications of a specific type | orn:{partition}:idp:{yourOrgId}:apps:{appType} |
https://{yourOktaDomain}/api/v1/apps/?filter=name+eq+%22{targetAppType}%22 |
| A specific App | orn:{partition}:idp:{yourOrgId}:apps:{appType}:{appId} |
https://{yourOktaDomain}/api/v1/apps/{appId} |
| All Authorization Servers | orn:{partition}:idp:{yourOrgId}:authorization_servers |
https://{yourOktaDomain}/api/v1/authorizationServers |
| A specific Authorization Server | orn:{partition}:idp:{yourOrgId}:authorization_servers:{authorizationServerId} |
https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} |
| All customizations | orn:{partition}:idp:{yourOrgId}:customizations |
Workflow service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All delegated flows | orn:{partition}:workflow:{yourOrgId}:flows |
|
| A specific delegated flow | orn:{partition}:workflow:{yourOrgId}:flows:{flowId} |
Governance service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All access certifications |
orn:{partition}:governance:{orgId}:certifications |
|
| All access requests |
orn:{partition}:governance:{orgId}:requests |
Identity and Access Management service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All Identity and Access Management resources | orn:{partition}:iam:{orgId}:contained_resources |
Support service
| Resource | ORN | Okta API REST URL |
|---|---|---|
| All Okta Support cases opened by the admin | orn:{partition}:support:{orgId}:cases |