Role permissions

<!DOCTYPE html> <html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd" lang="en-us" xml:lang="en-us" class="concept _Skins_okta_html5_topnav_nav_poc" data-mc-search-type="Stem" data-mc-help-system-file-name="okta_help.xml" data-mc-path-to-help-system="../../../../" data-mc-has-content-body="True" data-mc-searchable="True" data-mc-toc-path="Org-level security|Administrator roles|[%=System.LinkedHeader%]|[%=System.LinkedHeader%]" data-mc-target-type="WebHelp2" data-mc-runtime-file-type="Topic;Default" data-mc-preload-images="false" data-mc-in-preview-mode="false"> <head> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="typeofcontent" content="documentation" /> <meta name="audience" content="admin" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="description" content="What you can do using the Administrators page." /> <meta name="viewport" content="width=device-width, height=device-height" /><title>Role permissions</title> <link rel="canonical" href="https://help.okta.com/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm" /> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <link rel="shortcut icon" href="../../../Resources/Images/favicon.ico" type="image/x-icon" />       <link href="../../../../Skins/Default/Stylesheets/Slideshow.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/TextEffects.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/Topic.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/Components/Styles.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/Components/Tablet.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/Components/Mobile.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Default/Stylesheets/Components/Print.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Fluid/stylesheets/foundation.6.2.3.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Fluid/stylesheets/styles.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Fluid/stylesheets/tablet.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Fluid/stylesheets/mobile.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link href="../../../../Skins/Fluid/stylesheets/print.css" rel="stylesheet" type="text/css" data-mc-generated="True" /> <link rel="stylesheet" href="https://static.cloud.coveo.com/searchui/v2.5395/css/CoveoFullSearchNewDesign.css" /> <style>/*<meta />*/ .button.select-language-button { -pie-background: linear-gradient(#ffffff, #ffffff); } .needs-pie { behavior: url('../../../../Resources/Scripts/PIE-no-motw.htc'); } </style> <link href="../../../resources/stylesheets/okta-main-new-nav.css" rel="stylesheet" type="text/css" /> <link href="../../../resources/tablestyles/standard-shade-col1.css" rel="stylesheet" data-mc-stylesheet-type="table" /> <script src="../../../../Resources/Scripts/jquery.min.js" type="text/javascript"> </script> <script src="../../../../Resources/Scripts/purify.min.js" type="text/javascript" defer="defer"> </script> <script src="../../../../Resources/Scripts/require.min.js" type="text/javascript"> </script> <script src="../../../../Resources/Scripts/require.config.js" type="text/javascript" defer="defer"> </script> <script src="../../../../Resources/Scripts/foundation.6.2.3_custom.js" type="text/javascript"> </script> <script src="../../../../Resources/Scripts/plugins.min.js" type="text/javascript" defer="defer"> </script> <script src="../../../../Resources/Scripts/MadCapAll.js" type="text/javascript" defer="defer"> </script> <script> /* <![CDATA[ */ (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-NMZZV4P'); /* ]]> */ </script> <script> /* <![CDATA[ */ (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KXMLV58'); /* ]]> */ </script> <script> /* <![CDATA[ */ (function(apiKey){ (function(p,e,n,d,o){var v,w,x,y,z;o=p[d]=p[d]||{};o._q=o._q||[]; v=['initialize','identify','updateOptions','pageLoad','track'];for(w=0,x=v.length;w<x;++w)(function(m){ o[m]=o[m]||function(){o._q[m===v[0]?'unshift':'push']([m].concat([].slice.call(arguments,0)));};})(v[w]); y=e.createElement(n);y.async=!0;y.src='https://cdn.pendo.io/agent/static/'+apiKey+'/pendo.js'; z=e.getElementsByTagName(n)[0];z.parentNode.insertBefore(y,z);})(window,document,'script','pendo'); pendo.initialize({ visitor: { id: 'VISITOR-UNIQUE-ID' }, account: { id: 'ACCOUNT-UNIQUE-ID' } }); })('a9bd3885-93ae-46ab-700b-dd29e613c19d'); /* ]]> */ function openSurvey() { window.open('https://surveys.okta.com/jfe/form/SV_e4L0iW8a3tz8Yol?source=' + encodeURIComponent(document.location.href), '_blank'); } </script> </head> <body> <div class="foundation-wrap off-canvas-wrapper"> <div class="off-canvas-wrapper-inner" data-off-canvas-wrapper=""> <aside class="off-canvas position-right" role="navigation" id="offCanvas" data-off-canvas="" data-position="right" data-mc-ignore="true"> <ul class="off-canvas-drilldown vertical menu off-canvas-list" data-drilldown="" data-mc-back-link="Back" data-mc-css-tree-node-expanded="is-drilldown-submenu-parent" data-mc-css-tree-node-collapsed="is-drilldown-submenu-parent" data-mc-css-sub-menu="vertical menu slide-in-right is-drilldown-submenu" data-mc-include-indicator="False" data-mc-include-icon="False" data-mc-include-parent-link="True" data-mc-include-back="True" data-mc-defer-expand-event="True" data-mc-expand-event="click.zf.drilldown" data-mc-toc="True"> </ul> </aside> <div class="off-canvas-content inner-wrap" data-off-canvas-content=""> <div data-sticky-container="" class="title-bar-container"> <nav class="title-bar tab-bar sticky" role="banner" data-sticky="" data-options="marginTop:0" style="width:100%" data-sticky-on="only screen and (max-width: 1024px)" data-mc-ignore="true"><a class="skip-to-content fluid-skip showOnFocus" href="#">Skip To Main Content</a> <div class="middle title-bar-section outer-row clearfix"> <div class="menu-icon-container relative clearfix"> <div class="central-account-wrapper"> <div class="central-dropdown"><a class="central-account-drop"><span class="central-account-image"></span><span class="central-account-text">Account</span></a> <div class="central-dropdown-content"><a class="MCCentralLink central-dropdown-content-settings">Settings</a> <hr class="central-separator" /><a class="MCCentralLink central-dropdown-content-logout">Logout</a> </div> </div> </div> <button class="menu-icon" aria-label="Show Navigation Panel" data-toggle="offCanvas"><span></span> </button> </div> </div> <div class="title-bar-layout outer-row"> <div class="logo-wrapper"><a class="logo" href="https://help.okta.com/okta_help.htm?id=csh-index" alt="Okta"></a> </div> <div class="navigation-wrapper nocontent"> <ul class="navigation clearfix" role="navigation" data-mc-css-tree-node-has-children="has-children" data-mc-css-sub-menu="sub-menu" data-mc-expand-event="mouseenter" data-mc-top-nav-menu="True" data-mc-max-depth="2" data-mc-include-icon="False" data-mc-include-indicator="False" data-mc-include-children="True" data-mc-include-siblings="True" data-mc-include-parent="True" data-mc-toc="True"> <li class="placeholder" style="visibility:hidden"><a>placeholder</a> </li> </ul> </div> <div class="central-account-wrapper"> <div class="central-dropdown"><a class="central-account-drop"><span class="central-account-image"></span><span class="central-account-text">Account</span></a> <div class="central-dropdown-content"><a class="MCCentralLink central-dropdown-content-settings">Settings</a> <hr class="central-separator" /><a class="MCCentralLink central-dropdown-content-logout">Logout</a> </div> </div> </div> <div class="nav-search-wrapper"> <div class="nav-search row"> <form class="search" action="#"> <div class="search-bar search-bar-container needs-pie"> <input class="search-field needs-pie" type="search" aria-label="Search Field" placeholder="Search" /> <div class="search-filter-wrapper"><span class="invisible-label" id="search-filters-label">Filter: </span> <div class="search-filter" aria-haspopup="true" aria-controls="sf-content" aria-expanded="false" aria-label="Search Filter" title="All Files" role="button" tabindex="0"> </div> <div class="search-filter-content" id="sf-content"> <ul> <li> <button class="mc-dropdown-item" aria-labelledby="search-filters-label filterSelectorLabel-00001"><span id="filterSelectorLabel-00001">All Files</span> </button> </li> </ul> </div> </div> <div class="search-submit-wrapper" dir="ltr"> <div class="search-submit" title="Search" role="button" tabindex="0"><span class="invisible-label">Submit Search</span> </div> </div> </div> </form> </div> </div> </div> </nav> </div> <div class="main-section"> <div class="row outer-row sidenav-layout"> <nav class="sidenav-wrapper"> <div class="sidenav-container"> <ul class="off-canvas-accordion vertical menu sidenav" data-accordion-menu="" data-mc-css-tree-node-expanded="is-accordion-submenu-parent" data-mc-css-tree-node-collapsed="is-accordion-submenu-parent" data-mc-css-sub-menu="vertical menu accordion-menu is-accordion-submenu nested" data-mc-include-indicator="False" data-mc-include-icon="False" data-mc-include-parent-link="False" data-mc-include-back="False" data-mc-defer-expand-event="True" data-mc-expand-event="click.zf.accordionMenu" data-mc-toc="True" data-mc-side-nav-menu="True"> </ul> </div> </nav> <div class="body-container"> <div data-mc-content-body="True">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NMZZV4P" height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript>   <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KXMLV58" height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript>   <div id="coveo_org_id" style="Display:None"><span class="mc-variable okta-coveo-config.OrgId variable">oktaproduction9ounvcxa</span> </div> <div id="coveo_rest_uri" style="Display:None"><span class="mc-variable okta-coveo-config.PlatformRestUri variable">https://platform.cloud.coveo.com/rest/search</span> </div> <div id="coveo_search_url" style="Display:None"><span class="mc-variable okta-coveo-config.SearchPageUrl variable">https://support.okta.com/help/s/global-search/%40uri</span> </div> <div id="coveo_token_url" style="Display:None"><span class="mc-variable okta-coveo-config.SearchTokenServiceUrl variable">https://support.okta.com/help/services/apexrest/PublicSearchToken?site=help</span> </div> <div id="coveo_dev_org_id" style="Display:None"><span class="mc-variable okta-coveo-config.DevOrgId variable">oktanonproduction1il1gtac7</span> </div> <div id="coveo_token_url_dev" style="Display:None"><span class="mc-variable okta-coveo-config.SearchTokenServiceUrlDev variable">https://qo2dt8ecve.execute-api.us-west-2.amazonaws.com/dev/token?site=help</span> </div>    <div id="OLC_Coveo_Headline" class="coveo-headline-wrapper" data-mc-conditions="MultiProdPublish.SearchBar"> <div class="slds-p-vertical_small">  <div class="slds-grid slds-grid_align-center"> <div id="customSelect" class="CoveoCustomSelect slds-float_right"> </div> <div id="standaloneSearchbox"> <div class="CoveoAnalytics" data-search-hub="OktaCommunityFullSearch"> </div> <div class="CoveoTab" data-id="Help" data-caption="Help" style="display:none"> </div> <div class="CoveoSearchbox" data-enable-omnibox="true" data-enable-query-suggest-addon="true"> </div> </div> </div> </div> </div> <div class="replace_top_nav"> <div class="navbar" data-mc-conditions="Primary.live-site-only"> <div class="dropdown" data-test="menuBarCategory" id="documentationMenu" data-mc-conditions="MultiProdPublish.DocMenu"> <button class="dropbtn">Documentation <em class="fa fa-caret-down"></em></button> <div class="dropdown-content" data-test="menuBarItems"> <div><a href="https://help.okta.com/okta_help.htm?type=oie&id=oie-index" data-test="menuBarLink">Identity Engine</a> </div> <div><a href="https://help.okta.com/okta_help.htm?id=index-admin" data-test="menuBarLink">Classic Engine</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=oag&id=ext_oag_main" data-test="menuBarLink">Access Gateway</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=asa&id=csh-asa-overview" data-test="menuBarLink">Advanced Server Access</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=wf&id=ext-Okta-workflows" data-test="menuBarLink">Workflows</a> </div> </div> </div> <div class="dropdown" data-test="menuBarCategory" id="relnotesMenu" data-mc-conditions="MultiProdPublish.DocMenu"> <button class="dropbtn">Release notes <em class="fa fa-caret-down"></em></button> <div class="dropdown-content" data-test="menuBarItems"> <div><a href="https://help.okta.com/okta_help.htm?type=oie&id=csh-oie-release-notes" data-test="menuBarLink">Identity Engine</a> </div> <div><a href="https://help.okta.com/okta_help.htm?id=ext_okta_relnotes" data-test="menuBarLink">Classic Engine</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=oag&id=ext_oag_releasenotes" data-test="menuBarLink">Access Gateway</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=asa&id=ext-asa-releasenotes" data-test="menuBarLink">Advanced Server Access</a> </div> <div><a href="https://help.okta.com/okta_help.htm?type=wf&id=ext-workflows-releasenotes" data-test="menuBarLink">Workflows</a> </div> </div> </div> <div class="dropdown" data-test="menuBarCategory" id="oktaDevDocsMenu"><a href="https://developer.okta.com/" target="_blank" data-test="menuBarLink">Okta Developer</a> </div> <div class="dropdown" data-test="menuBarCategory" id="auth0Menu"><a href="https://auth0.com/docs" target="_blank" data-test="menuBarLink">Auth0</a> </div> <div class="dropdown" data-test="menuBarCategory" id="trainingMenu"><a href="https://www.okta.com/services/training/" target="_blank" data-test="menuBarLink">Training</a> </div> <div class="dropdown" data-test="menuBarCategory" id="supportMenu"><a href="https://support.okta.com/help/s/?language=en_US" target="_blank" data-test="menuBarLink">Support</a> </div> </div> <div class="logo_container" id="OktaBanner" data-mc-conditions="Primary.live-site-only"><a class="logo" href="https://help.okta.com/okta_help.htm?id=csh-index" data-test="OktaBanner"><img src="../../../resources/images/okta-assets/logo.png" alt="Okta Docs" title="Okta Docs" data-test="OktaBannerImg" /></a> </div> <div class="toolbar-main" data-test="toolBar" data-mc-conditions="Primary.live-site-only"> <div class="buttons popup-container clearfix topicToolbarProxy _Skins_okta_toolbar_no_expand mc-component nocontent" style="mc-topic-toolbar-items: ;"> <div class="button-group-container-left"> <button class="button needs-pie select-language-button" title="Change language"> <div> <div role="img" class="button-icon-wrapper" aria-label="Change language"> <div class="button-icon"> </div> </div> </div> </button> </div> </div> </div> </div>  <div class="okta-topics" data-test="bodyWrapper">  <div> <div class="is-not-in-mobile">  <div class="nocontent"> <div class="MCBreadcrumbsBox_0 breadcrumbs" role="navigation" aria-label="Breadcrumbs" data-mc-breadcrumbs-divider=" > " data-mc-breadcrumbs-count="3" data-mc-toc="True"> </div> </div> </div> <div class="oie-label" data-mc-conditions="MultiProdPublish.Classic"> <img class="oie-label" title="Label: Okta Classic Engine content" src="../../../resources/images/okta-assets/classic_engine.svg" /> </div> <div class="body-main" data-test="bodyContent">  <div role="main" id="mc-main-content"> <h1>Role permissions</h1> <p>This topic describes the role permissions that you can add to your custom admin roles.</p> <ul> <li><a href="#User_permissions_" class="MCXref xref">User permissions </a> </li> <li><a href="#Group_permissions" class="MCXref xref">Group permissions</a> </li> <li><a href="#Identity_and_access_management_permissions" class="MCXref xref">Identity and access management permissions</a> </li> <li><a href="#Application_permissions" class="MCXref xref">Application permissions</a> </li> <li><a href="#Support_permissions" class="MCXref xref">Support permissions</a> </li> <li><a href="#Profile_source_permissions" class="MCXref xref">Profile source permissions</a> </li> <li><a href="#Workflow_permissions" class="MCXref xref">Workflow permissions</a> </li> <li><a href="#Authorization_server_permissions" class="MCXref xref">Authorization server permissions</a> </li> <li><a href="#Customization_permissions" class="MCXref xref">Customization permissions</a> </li> <li><a href="#Director" class="MCXref xref">Directories permissions</a> </li> <li><a href="#IdP_permissions" class="MCXref xref">Identity Provider permissions</a> </li> <li><a href="#Device_permissions" class="MCXref xref">Devices permissions</a> </li> <li><a href="#Realm" class="MCXref xref">Realms permissions</a> </li> <li><a href="#Agent" class="MCXref xref">Agent permissions</a> </li> </ul> <h2><a name="User_permissions_"></a>User permissions </h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage users </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete all profile and credential information for users. <br />Delegated admins with this permission can only manage user credential fields and not the credential values themselves. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Create users </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to create users. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Edit users' profile attributes </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1">Gives your delegated admin the ability to only edit the value of their users' profile attributes. <br />However, this permission doesn't allow the delegated admins to create or edit custom attributes from the <span class="wintitle">Profiles</span> page in the directory, or to manage profile mappings.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Edit users' lifecycle states* </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to manage user lifecycle operations, such as activating, deactivating, reactivating, and suspending users.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Activate users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1">Gives your delegated admin the ability to activate user accounts.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Deactivate users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2">Gives your delegated admin the ability to deactivate user accounts.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Suspend users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to suspend users' access to Okta. When a user is suspended, their user sessions are also cleared.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Unsuspend users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to restore users' access to Okta.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Delete users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to permanently delete user accounts.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Unlock users*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2">Gives your delegated admin the ability to unlock users who have been locked out of Okta.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Clear users' sessions*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to clear all active Okta sessions and OAuth tokens for an end user.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Edit users' authenticator operations*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to manage users' credential operations, such as resetting passwords and multifactor authentication (MFA), including YubiKey enrollments.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Reset users' authenticators*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to reset users' MFA authenticators. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Reset users' passwords*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to reset users' passwords.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Set users' temporary password*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to expire a user's password and set a new temporary password.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">View users and their details </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to read users' profile and credential information. <br />Delegated admins with this permission can only view user credential fields and not the credential values themselves. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Edit users' group membership* </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to manage a users' group membership. <p>Your delegated admin also needs to have the <span class="uicontrol">Manage group membership permission</span> from the <span class="wintitle">Group permissions</span> section for the group they can add a user to.</p></td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2" data-mc-conditions=""> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Edit users' application assignments*</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to manage a user's app assignments.<p>Your delegated admin also needs to have the <span class="uicontrol">Edit application's user assignments</span> permission from the <span class="wintitle">Application permissions</span> section. This enables them to view and select the apps to assign to the user. </p></td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1" data-mc-conditions=""> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1"> Manage API tokens </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to clear and view tokens.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2" data-mc-conditions=""> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2"> View API tokens </td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2"> Gives your delegated admin the ability to view tokens.</td> </tr> </tbody> </table> <p>* — Permissions grant view-only access to the <span class="uicontrol">Username</span>, <span class="uicontrol">First name</span>, <span class="uicontrol">Last name</span>, <span class="uicontrol">Primary email</span>, and <span class="uicontrol">Mobile phone</span> profile attributes only.</p> <div class="noteOkta"> <p class="noteContent">You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:</p> <ul> <li>Create users</li> <li>Manage users' authenticator operations </li> <li>Edit users' profile attributes</li> <li>Manage group membership</li> </ul> </div> <h2><a name="Group_permissions"></a>Group permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage groups</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete groups in your org. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Create groups</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to create groups if their admin role assignment is constrained to the entire org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">View groups</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to only view groups and the users and apps that are assigned to that group. in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Manage group membership</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to view, edit, and delete user membership within a group in your org. <p>Your delegated admin also needs to have the <span class="uicontrol">Edit users' group membership</span> permission from the <span class="wintitle">User permissions</span> section to view and select which users they can add to the group.</p></td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1" data-mc-conditions=""> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">Edit group's application assignments</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1"> Gives your delegated admin the ability to manage a group's app assignment. <p>Your delegated admin also needs to have the <span class="uicontrol">Edit application's user assignments</span> permission from the <span class="wintitle">Application permissions</span> section. This enables them to view and select the apps they can add to the group.</p></td> </tr> </tbody> </table> <h2><a name="Identity_and_access_management_permissions"></a>Identity and access management permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">View roles, resources, and admin assignments</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1"> Gives the delegated admin view-only permission for the roles, resource sets, and admin assignments in your org. Viewing information in the <span class="mc-variable okta-feature-names.Admin_Console variable">Admin Console</span> also requires these permissions:<ul><li><span class="uicontrol">View users and their details permission</span>: Allow the delegated admin to view your org's admins. This permission appears in the <span class="wintitle">User permissions</span> section.</li><li><span class="uicontrol">View applications and their details</span>: Allow the delegated admin to view apps. This permission appears in the <span class="wintitle">Application permissions</span> section.</li></ul> Alternatively, you can assign the <a href="../administrators-read-only-admin.htm" class="MCXref xref">Read-only administrators</a> role to the admins with this permission to grant them full read-only access to the <span class="mc-variable okta-feature-names.Admin_Console variable">Admin Console</span>.</td> </tr> </tbody> </table> <h2><a name="Application_permissions"></a>Application permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage applications</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete apps in your org. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">View applications and their details</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to only view apps that are assigned to your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1"> View client credentials </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view OAuth client secrets.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2"> <p class="featureBanner">Early Access release. See <a href="../manage-ea-and-beta-features.htm" class="MCXref xref">Enable self-service features</a>.</p> <p style="font-weight: normal;">Manage application general settings</p> </td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to manage only the general app settings in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">Edit app's user assignments</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1"> Gives your delegated admin the ability to manage the users that are assigned to the app. <p>Your delegated admin also needs to have either the <span class="uicontrol">Edit groups' application assignments</span> permission from the <span class="wintitle">Group permissions</span> section or <span class="uicontrol">Edit users' application assignments</span> permission from the <span class="wintitle">User permissions</span> section. This enables them to view and select which users or groups of users to add to the app.</p><p>Gives your delegated admin the ability to view the following provisioning error tasks:</p><ul><li>Application assignments encountered errors </li><li>Group push mapping encountered errors</li><li>Error Profile push updates encountered errors</li></ul><p>See <a href="../../dashboard/monitor-your-tasks.htm" class="MCXref xref">Monitor your tasks</a>.</p></td> </tr> </tbody> </table> <h2><a name="Support_permissions"></a>Support permissions</h2> <p class="featureBanner">Early Access release. See <a href="../manage-ea-and-beta-features.htm" class="MCXref xref">Enable self-service features</a>.</p> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">View, create, and manage Okta support cases</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1"> <p> Gives your delegated admin the ability to manage the support cases that they've opened.</p> <div class="noteOkta"> <p class="noteContent">Okta is slowly rolling out this permission to orgs and might not yet be available. </p> </div> </td> </tr> </tbody> </table> <h2><a name="Profile_source_permissions"></a>Profile source permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">Run imports</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1">Gives your delegated admin the ability to run imports for apps with a profile source, such as HRaaS and AD/LDAP apps. Admins with this permission can create users through the import. <p>Your delegated admin needs the <span class="uicontrol">Edit users' profile attributes</span> permission from the <span class="wintitle">User permissions</span> section to modify any existing users who are included in the import.</p></td> </tr> </tbody> </table> <h2><a name="Workflow_permissions"></a>Workflow permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Run delegated flow</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to run flows from within the Admin Console.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2"> View delegated flow </td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2">Gives your delegated admin the ability to only view flows from within the Admin Console. </td> </tr> </tbody> </table> <h2><a name="Authorization_server_permissions"></a>Authorization server permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th class="TableStyle-standard-shade-col1-HeadD-Column-Header1">Description</th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage authorization server</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1">Gives your delegated admin the ability to view, create, edit, and delete authorization servers in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td class="TableStyle-standard-shade-col1-BodyB-Column1-Body2">View authorization server</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2">Gives your delegated admin the ability to view only the authorization servers in your org.</td> </tr> </tbody> </table> <h2><a name="Customization_permissions"></a>Customization permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage customizations</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete branding customizations in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2">View customizations</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2"> Gives your delegated admin the ability to view only the branding customizations in your org.</td> </tr> </tbody> </table> <h2><a name="Director"></a>Directories permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1" data-mc-conditions=""> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage directories</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete directory integration apps in your org.<div class="noteOkta"><p class="noteContent">Managing app user assignments and running imports for such apps may require permissions for users and groups.</p></div></td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2">View directories</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2"> Gives your delegated admin the ability to view only the directory integration apps and their details.</td> </tr> </tbody> </table> <h2><a name="IdP_permissions"></a>Identity Provider permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage identity providers</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, create, edit, and delete IdP configurations.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2">View identity providers</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2"> Gives your delegated admin the ability to only view IdP configurations.</td> </tr> </tbody> </table> <h2><a name="Device_permissions"></a>Devices permissions</h2> <p class="featureBanner">Early Access release. See <a href="../manage-ea-and-beta-features.htm" class="MCXref xref">Enable self-service features</a>.</p> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view, suspend, unsuspend, activate, deactivate, and delete devices in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">View devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to view devices in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Activate devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view and activate devices in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Deactivate devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to view and deactivate devices in your org. <p>If your delegated admin deactivates a device, enrolled factors on the device are deactivated, and users must re-enroll factors on the device when it's activated. See Device lifecycle.</p></td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Suspend devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view and suspend devices in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Unsuspend devices</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2"> Gives your delegated admin the ability to view and unsuspend devices in your org.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">Delete devices</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1">Gives your delegated admin the ability to view and delete devices in your org.</td> </tr> </tbody> </table> <h2><a name="Realm"></a>Realms permissions</h2> <p class="featureBanner">Early Access release. See <a href="../manage-ea-and-beta-features.htm" class="MCXref xref">Enable self-service features</a>.</p> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1"> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">Manage realms</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated realm admin the ability to manage one or more realms in your org. </td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body2">Manage users</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body2"> Gives your delegated realm admin the ability to add, delete, and move users between realms.<div class="noteOkta"><p class="noteContent">The <span class="wintitle">Manage realms</span> permission is required for a delegated admin to move users between realms.</p></div>A delegated realm admin can also configure granular permissions within a role. For example, if you give group membership and app permissions to users in the realm, you can assign them to an app or group that's in the resource set.</td> </tr> </tbody> </table> <h2><a name="Agent"></a>Agent permissions</h2> <table style="width: 100%;mc-table-style: url('../../../resources/tablestyles/standard-shade-col1.css');" class="TableStyle-standard-shade-col1" cellspacing="0"> <col class="TableStyle-standard-shade-col1-Column-Column1" style="width: 20%;" data-mc-conditions="" /> <col class="TableStyle-standard-shade-col1-Column-Column" style="width: 80%;" data-mc-conditions="" /> <thead> <tr class="TableStyle-standard-shade-col1-Head-Header1" data-mc-conditions=""> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadE-Column1-Header1"> <p>Permission</p> </th> <th style="font-weight: bold;" class="TableStyle-standard-shade-col1-HeadD-Column-Header1"> <p>Description</p> </th> </tr> </thead> <tbody> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body1">View agents</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body1"> Gives your delegated admin the ability to view agent statuses and download agents.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body2"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyE-Column1-Body2">Register agents</td> <td class="TableStyle-standard-shade-col1-BodyD-Column-Body2">Gives your delegated admin the ability to register agents and domains.</td> </tr> <tr class="TableStyle-standard-shade-col1-Body-Body1"> <td style="font-weight: normal;" class="TableStyle-standard-shade-col1-BodyB-Column1-Body1">Manage agents</td> <td class="TableStyle-standard-shade-col1-BodyA-Column-Body1">Gives your delegated admin the ability to manage agent communication and update agents.</td> </tr> </tbody> </table> <h2><span>Related topics</span> </h2> <p><a href="create-role.htm" class="MCXref xref">Create a role</a> </p> <p><a href="create-resource-set.htm" class="MCXref xref">Create a resource set</a> </p> </div> </div> </div> </div>   <div class="footer2" data-test="footer"> <div> <p class="copyright" data-test="copyrightNotice">© <span class="mc-variable okta-variables.Year variable">2024</span> <span class="mc-variable okta-variables.CompanyName variable">Okta, Inc</span>. All Rights Reserved. Various trademarks held by their respective owners. </p> </div> </div>  <script src="../../../resources/scripts/js/ignore-dompurify.js"> </script> <script src="../../../resources/scripts/js/app.js"> </script> <script src="../../../resources/scripts/js/vendor/what-input.js"> </script> <script src="https://cdnjs.cloudflare.com/ajax/libs/foundation/6.4.4-rc1/js/foundation.min.js"> </script>  <script src="https://static.cloud.coveo.com/searchui/v2.5395/js/CoveoJsSearch.Lazy.min.js" defer="defer"> </script> <script src="../../../resources/scripts/coveo-resources/js/cultures/en.js" id="coveoCultureScript" defer="defer"> </script> <script src="../../../resources/scripts/coveo-resources/js/coveo.madcapflare.requirejs.js" id="coveoRequireScript" defer="defer"> </script> <script src="../../../resources/scripts/coveo-resources/js/coveo.madcapflare.okta.js" id="coveoInitscript" defer="defer"> </script>  <div id="feedback-tab" data-mc-conditions="Primary.live-site-only"><a id="feedback-link" href="#" onclick="openSurvey(); return false" target="_blank" title="Submit feedback"><div id="feedback-container"><p id="feedback-text" translate="no">Feedback</p></div></a> </div> </div> </div> </div> </div><a data-close="true"></a> </div> </div> </div> </body> </html>

CINXE.COM

Role permissions