A customer using Secure Partner Access (SPA) needs to restrict a realm administrator's log access to their specific realm. Current custom "read-only" roles incorrectly grant visibility into all company logs. Additionally, the customer is asking whether a user's realm is stored in a specific attribute that is searchable via the Okta API.

• Role-Based Access Control (RBAC) and Log Auditing
• Okta Identity Governance / Secure Partner Access (SPA)
• Multi-realm environments requiring delegated log access
• Okta Identity Engine (OIE)

Currently, Okta does not have a specific, granular administrative role that limits system log visibility to a single realm. Standard administrative roles for logs are scoped at the organizational level, meaning any user granted log-viewing permissions can see events across the entire tenant.

Additionally, the "Realm" designation is a management boundary rather than a default metadata attribute stored on the user profile.

• Submit a Feature Request: At this time, there is no native configuration within the Okta Admin Console to restrict System Log UI access to a specific realm. It is recommended to submit a feature request via the Okta Ideas portal. Our Engineering and Product teams prioritize enhancements based on customer votes and feedback.

• API Filtering Limitations: There is no built-in, out-of-the-box user profile attribute (for example, user.realm) that can directly query or filter via the standard Users API.

• Alternative for Log Scoping:

  • External Log Management: To achieve realm-specific log isolation, consider exporting Okta System Logs to an external Log Management tool (for example, Splunk, Sumo Logic, or AWS S3) using a Log Streaming integration.

  • Custom Filtering: Once logs are in an external system, dashboards or restricted views can be created using filters for target or actor attributes that align with Realm naming conventions or metadata.