Configure the Help Desk Administrator Role
The Help Desk Administrator can perform common help desk actions. This role has a reduced set of permissions and promotes good security practices by not granting unnecessary permissions to help desk personnel.
You cannot selectively assign permissions to the Help Desk Administrator role. Instead, it has these fixed permissions:
· Reset Password
· Reset Multifactor Authentication
· Unlock Account
· Clear User Session
· View user profiles: only users in the groups to which the admin has been assigned.
The Help Desk Administrator role does not have the following permissions:
The Help Desk Administrator can perform these actions on all users or on select groups of users. This provides granular administrative control. The Help Desk Administrator cannot view or modify users outside of the selected group. Delegated administration allows you to spread administrative duties and, more importantly, segregate duties so that no administrator has too much control.
Note: While the Help Desk Administrator can't create API tokens, you can create an API token for this role's privileges for any given Help Desk admin. For example, you may implement a Reset MFA button in an application using Okta APIs and API tokens. For more information about API tokens, see API tokens. For information about Okta APIs, see Getting started with the Okta API.
Help Desk Administrator scenarios
The Help Desk Administrator role may be useful in these scenarios:
Configure the Help Desk administrator role
Only Super Org Administrators may assign the Help Desk Administrator role to a user and optionally apply a group scope.
To create and configure the Help Desk Administrator role, do the following:
In the resulting dialog box, do the following
Additional configuration for AD users
If you want your Help Desk Administrator to perform operations on users that delegate authentication to AD, you’ll also have to configure the AD policy:
Perform Actions as Help Desk Administrator
Guidance on Structuring Okta Groups
Groups have not fundamentally changed within Okta, but they are more useful and powerful when used with the Help Desk Administrator role. Getting the most out of delegated administration requires careful selection of Okta groups. The group(s) you choose should reflect your organization's structure or boundaries of control.
For example, an organation shares Okta-protected resources with two business units, A and B, each with their own users and separate IT teams who manage those users. It is important for the organization to maintain strict boundaries of control within Okta. A's IT team should only be able to view and manage A's users in Okta. Similarly, B's IT team should only be able to view and manage B's users in Okta. The organization can accomplish this by::