Administrators Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Published: Jan 31, 2018   -   Updated: Jun 22, 2018





Administrators (or Admins) are Okta users with permission to access the Okta administration application. You can grant Admins access to all sections of the application, or limit their access to only certain apps.

To add an administrator, do the following:

  1. Click the Add Administrator button.
  2. Enter the name of the administrator granted permissions.
  3. Define the administrator permissions by choosing an administrator role. For a full description of each of the admin roles and their permissions, see the table below or click the View permissions info button.
  4. Once the fields are complete, click the Save button.

The table below details the permissions granted to each role. Please note the following:

EA — Early Access features require enablement from Okta Support.

* Permissions apply only to groups that the Group Admin is allowed to manage.

** Can create new users in groups that Group Admin manages.

^ Permissions apply only to applications the App Admin is allowed to manage. You cannot specify individually created Template apps. Instead, you must choose the entire Template class; for example Template SAML 2.0. Also, App Admins cannot edit VPN Notifications settings for VPN-required apps.

+ To complete the end-to-end scenario for setting up social authentication you must

• Be a Super Administrator

• Have both the App Administrator and Org Administrator roles

You can restrict the App Administrator role to OpenID Connect client apps.

App Administrator role

This is an Early Access feature. To enable it use the Early Access Feature Manager as described in Manage Early Access Features.

Okta distinguishes between an application and the instances of that application. An app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control.

Super Admins can navigate to Security > Administrators to assign applications or specific instances of applications to App Admins. To distinguish between an application and its instances, Okta refers to the application as the "App" and the instances of that application are called "app instances". For example, Workday would be the App, and each instance of Workday would be referred to as an "app instance".

Note: If you assign a specific instance to an app admin and then later try to assign access to the overall App, an error message displays to warn you of the conflicting permissions. An app admin should not have restricted access to only one specific instance but also be assigned access to the entire app type.

Super Admin
Org. Admin
App. Admin
Read-Only Admin
Mobile Admin
Org-wide Settings
View and run reportsYesYesNoNoYesYesNoNo
View Okta settings (themes, logo, & contact info)YesYesNoNoYesYesNoNo
Manage Profile EditorYesYesNoYesNoNoNoYes (for OIDC clients)
Manage profile mappingsYesYesYesYesNoNoNoYes (for OIDC clients)
Edit Okta settingsYesYesNoNoNoNoNoNo
Add, remove, and view administratorsYesNoNoNoNoNoNoNo
Add, delete, and edit scope, claim, and policy on an authorization serverYesNoNoNoNoNoNoYes
View authorization server scope, claim, and policyYesYesNoNoYesNoNoYes
View System LogYesYesNoYesYesYesNoYes
User Management
View usersYesYesYes*YesYesYesYesYes
Activate & deactivate usersYesYesYes*NoNoNoNoNo
Edit profilesYesYesYes*NoNoYesNoNo
Password resets, MFA resetsYesYesYes*NoNoNoYesNo
Create usersYesYesYes*NoNoNoNoNo
Clear user sessionYesYesYesNoNoNoYesNo
Choose not to receive email notifications about locked user accountsYesYesYes*YesYesYesNoYes
View groupsYesYesYes*YesYesYesNoYes
Add users to groupsYesYesYes**NoNoNoNoNo
Remove users from groupsYesYesYesNoNoNoNoNo
Create groupsYesYesNoNoNoNoNoNo
Delete groupsYesYesNoNoNoNoNoNo
View applications or application instancesYesNoNoYes^YesYesNoYes (for OIDC clients)
Add and configure applicationsYesNoNoYes^NoNoNoYes (for OIDC clients)
Assign user access to applicationsYesNoNoYes^NoNoNoYes (for OIDC clients)
Create users in pending status via app importYesNoNoYes^NoNoNoNo
Mobile Policies
View and manage devicesYesYesNoNoNoYesNoNo
Configure Okta mobile managerYesYesNoNoNoYesNoNo
View policies (Mobile)YesYesNoNoYesYesNoNo
Setting APNSYesYesNoNoNoYesNoNo
Add/update/delete policiesYesYesNoNoNoYesNoNo
Add/Update/Delete RulesYesYesNoNoNoYesNoNo
Drag and Drop Policies for prioritizationYesYesNoNoNoYesNoNo
OMM - Wifi (EA)
View wifi policiesYesYesNoNoYesYesNoNo
Add/update/delete policiesYesYesNoNoNoYesNoNo
Add/update/delete rulesYesYesNoNoNoYesNoNo
Drag and drop policies for prioritizationYesYesNoNoNoYesNoNo
Mobile Devices
View Mobile tab on users sectionYesYesNoNoYesYesNoNo
View device detailsYesYesNoNoYesYesNoNo
Deprovision/clear PC/remote lock/resetYesYesNoNoNoYesNoNo
Deprovision/reset from Mobile tabYesYesNoNoNoYesNoNo
OMM - Applications
View Mobile tab on appsYesNoNoYesYesYesNoNo
Edit and save EAS settingsYesNoNoNoNoYesNoNo
Edit native Mobile Access check boxesYesNoNoNoNoYesNoNo
Okta Sign-On
View Okta Sign-On policiesYesYesNoNoYesYesNoNo
Add/update/delete policiesYesYesNoNoNoYesNoNo
Add/update/delete rulesYesYesNoNoNoYesNoNo
Drag and drop policies for prioritizationYesYesNoNoNoYesNoNo
Edit MFA factorsYesYesNoNoNoYesNoNo
OpenID Connect End-to-End Scenario+
Create and modify an OIDC App, including registering an OAuth client.
Can be restricted to OIDC client apps.
Add a social IDPYesYesNoNoNoNoNoNo
Read-only access to OAuth clients through the APIYesYesNoNoNoNoNoYes
Enable MFA for the Admin DashboardYesNoNoNoNoNoNoNo
API Tokens
Create User TokensYesYesYesNoYesNoNoNo
View User TokensYesYesYesNoYesNoNoNo
Clear User TokensYesYesNoNoNoNoYesNo
View User Social TokensYesYesYesYesNoNoNoNo
Manage TokensYesYesNoNoYesNoNoNo