Overview
By leveraging least privilege, zero-standing access for Okta admin roles, and requiring step up for critical tasks, our customers can significantly enhance their security postures. This article walks though Custom Admin Roles in more detail.
Understanding Custom Admin Roles in Okta
Okta Custom Admin Roles were introduced to help build a more secure posture by enabling super admins to build roles that target specific areas of Okta’s management APIs. Over the last few quarters, Okta has introduced additional levels of granularity in permissions and hierarchy for Okta resources. These can help avoid the need to assign a super admin role or otherwise highly privileged roles like Org or App admins to achieve a subset of jobs. This knowledge base article covers a few of these permissions and how these can be used to create admin assignments with limited privileges.
Here is an overview of some of the granular permissions Okta has added to custom admin roles and how to benefit from those.
Customizations
Create an admin with only customization permissions, which can be ‘manage’ or ‘view’ access either on all customization settings or specific brands.
Permissions UI
Resources UI
An admin with “Manage Customization” permission on “All Customizations” will have to this subset of the admin app:
Without this, in order to allow someone to have management permissions over customizations, either org admin or super admin will need to be granted.
Identity Providers
Allow the management of IDPs to be the only permission the admin has.
Without this, the admin will need to be either Org or Super admin, which grants more privileges than needed. Note the very narrow scope of admin access:
IAM
A read-only permission that allows any admin to be able to view roles and resource sets used in admin role assignments. To view other details such as resources inside resource sets and list of admins, extra permissions on those resources will be needed. Without this, the admin will have to become a super admin.
Note the very limited scope of view access this provides
Authorizations Server
Super admin or API Access Management role no longer has to be granted on the entire org to allow an admin to configure a given authorization server.
Select specific authorization servers can even be selected as the target.
The result is an admin with a very limited access area.
Directory Integrations
These permissions allow for creating admins whose sole tasks are to manage directory-specific settings of integrations like LDAP/AD. An Admin with these permissions will not even be able to manage generic app features like app-user assignment. Otherwise, Super or App or API Access Management admin roles would need to be granted.
Other Permissions
Okta has enabled a lot more. Be sure to check the help docs and give these permissions a try for a more secure least privilege environment, which grants super admin role only when needed.
Okta enables ensuring that administrators have access to only what they need, nothing more. This not only tightens security but also streamlines administrative tasks, making your IT team more efficient and focused.
Related Resources
