This article explains the permissions required for a Custom Admin Role to successfully call the password recovery API endpoint without receiving a 403 Forbidden error.

• Custom Admin Roles
• /api/v1/authn/recovery/password

The Custom Admin Role does not have the Manage users permission set assigned, which is required to access the password recovery endpoint.

To resolve the 403 Forbidden error, the Manage users permission toggle must be assigned to the Custom Admin Role.

1. In the Admin Console, go to Security > Administrators.
2. Select the Roles tab.
3. Select the Edit icon next to the Custom Admin Role.
4. Click Edit role, then Continue, and select the Manage users permission set.
5. Select Save role.

NOTE:

• Enabling Manage users also enables Manage API tokens. Please note that these permissions do grant the admins the ability to create API tokens that will inherit the same permissions.
• Ensure the administrator also has a resource set assigned that grants access to Users. Scoping the resource set to Groups does not grant privileges over the members of those groups.

The Manage users permission set is required only in the context of the least-privileged admin role for calling this endpoint. Standard admin roles who can also call this endpoint include Super Administrator and Organization Administrator.

Related References

• About role permissions
• Custom admin roles
• Custom Admin Roles: A Guide to Least Privileged Okta Admins
• How to Create Custom Admin Roles
• How to Create Custom Admin Roles | YouTube Tutorial