<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Create Custom Admin Roles for User Account Recovery Processes
Dec 11, 2025
Okta Identity Engine
Admin Roles

Overview

This knowledge base article guides Okta Workforce administrators with access to the Super Administrator role on how to constrain the privileges assigned to IT support staff using Custom Admin Roles.

This support article includes the following tasks:

  • Create a user group that is eligible for being assigned Temporary Access Codes (TAC)

  • Create a custom admin role for help desk professionals with permission to assign Temporary Access Codes

  • Configure the Temporary Access Code authenticator

 

Solution

1. Create a group for TAC-eligible users

Create a user group that includes the users for which a Temporary Access Code is an eligible authenticator. These are the users for which IT Support staff will be permitted to assign Temporary Access Codes. You may wish to exclude certain user profiles from this group.

Name the group (e.g. “Temporary access code eligible group”) and manually add users or bulk assign users to the group.

 

2. Create a custom help-desk role

Okta recommends a “resource first” approach to creating Custom Admin Roles.  An organization should first decide what resources (applications, user groups, workflows, etc) a given set of administrators should be allowed to view or modify before assigning roles and permissions to those administrators.

 

In our case, the resource in question is the user group we created in Step 1. Create a resource set and name it (e.g., “Help desk TAC resource set”). At the Add resource step, select Users and choose the TAC users group that you created, and Groups, choosing the TAC users group you created. 

 

Create a role and give it a name (e.g. “Help desk TAC admin”). 

 

In our case, a helpdesk administrator authorized to assign temporary access codes will require the following permissions, at a minimum:

  • View Users and their Details
  • Edit user’s group membership 
  • View groups and their details 
  • Manage group membership
  • Manage user's temporary access code

 

Assign the new admin role to one or more administrators

Follow the instructions for either the From the People page or From the Groups page sections.

  1. Select the TAC admin role.
  2. Select the TAC resource set.
  3. Click Save Changes.

You may optionally want to create an Access Request for temporary, just-in-time assignment of this role in some circumstances.

3. Configure the Temporary Access Code authenticator

Follow the instructions on the Temporary Access Code authenticator help pages

Consider the policy options available in App Sign In Policies that would constrain use of Temporary Access Codes by network, device status, and pairing with additional authenticators.

Related References

 

 

Recommended content

Still looking for help?
Loading
Create Custom Admin Roles for User Account Recovery Processes