This knowledge base article guides Super Administrators of an Okta Workforce Org on how to constrain the privileges assigned to IT support staff using Custom Admin Roles.

This support article includes the following tasks:

• Create a group for all non-privileged user accounts
• Create Custom Admin Roles
• Assign Custom Admin Roles to existing Help Desk Admins
• Use Workflows to Monitor for Role Grants (Optional)

Create a group for all non-privileged user accounts

Okta recommends a “resource first” approach to creating Custom Admin Roles. 

An organization should first decide what resources (applications, user groups, workflows, etc.) a given set of administrators should be allowed to view or modify. 

If, for example, IT support staff in your organization are assigned to users by organizational unit or geographic region, we recommend creating admin groups and user groups before creating the Custom Admin role to assign them to.

Warning: While our best practice guidance recommends creating multiple, overlapping role assignments for granular access, organizations seeking to constrain help desk administrators should also ensure that none of these are also assigned standard roles.

Let’s assume, for illustrative purposes, that we are assigning a custom help desk role to all IT support staff, such that they can support all users except those with more privileged roles.

Our first step is to create a group of users that does not contain any accounts with administrative permissions - that is, the users our IT support staff are permitted to support. 

The best way to do this is to use Group Rules and Expression Language to automatically build and maintain this group. This relies on Org administrators assigning administrative roles by Group rather than by User.

1. In the Okta Admin Console, go to Directory > Groups > Rules, and select Add Rule.
2. Choose Use Okta Expression Language to create a new group that includes users from the Okta-generated “Everyone” group but excludes users in groups that are assigned administrative roles.
   NOTE: When using Expression Language, the ! operator designates NOT.

3. Use the Preview function to test the IF rules. Save the rule, then select Actions and Activate.

Create Custom Admin Roles

1. In the Okta Admin Console, go to Security > Administrators > Resources, and select Create new resource set.
2. Give the Resource Set a name and description.
3. Select Add Resource, choose Users then Select Users, and select the aforementioned Group of regular (non-admin) users you want IT support staff to administer.
4. Select Save selection.
   
5. Click Create.
6. Go to Security > Administrators > Roles, and select Create new role.
7. Give the role a name and description.
   • You may wish to append “Custom” to the name to help keep track of the use of custom versus standard roles in your Org.
8. Select the permissions granted for admins with this role.
   In the example image below, the same permissions available to the standard help desk role have been selected as well as a few additional permissions for viewing and running delegated Workflows created for IT support staff.
   
9. Select Save role.

Assign Custom Admin Roles to existing Help Desk Admins

If your organization currently uses the standard help desk admin role, you will need to remove this role from IT support staff and assign them the custom help desk admin role.

Remember: An administrator assigned one or more Custom Admin Roles cannot perform operations on a user with Super Administrator, but they can if they are also assigned a standard role.

The advice below assumes that the standard help desk role was historically assigned to a specific Group (and not assigned individually).

1. In the Okta Admin Console, go to Administrators> Roles, and select View or edit assignments in the dropdown menu for the standard Help Desk Administrator role.
    
2. Delete the assignment for the relevant Group of help desk administrators. Select Save changes for this deletion to take effect.
3. Go to Administrators, and select View or edit assignments in the dropdown menu for the custom help desk administrator role created earlier.
4. Select the group of Administrators, and the Resource Set they will be allowed to perform operations on. 
    
5. Select Save Changes.

Use Workflows to Monitor for Role Grants (Optional)

If your security team is following best practices, they are already likely to be monitoring for privilege grants in an Okta organization.

Okta Workflows offers opportunities to immediately remedy or notify security personnel about privilege grants that don’t meet policy.

Workflows could be used, for example, to:

• Execute whenever a user is granted any privilege
• Check the debugData.debugContext.privilegeGranted object for what role was assigned and the debugData.debugContext.requestUri object for whether the privilege was granted via an individual or group assignment.
• Alert the SOC if either (a) the standard Help desk administrator role was assigned or (b) a privilege was granted via an individual (rather than a group) assignment.