Users encounter an authentication or device enrollment error in Okta Verify due to battery optimization settings, disabled screen lock confirmations, network restrictions, or insufficient permissions. Resolving this issue requires adjusting device battery settings, enabling screen lock confirmation, disabling network relays, or verifying administrator roles.

Users receive the following error when attempting to authenticate with Okta Verify or enroll a device:

You do not have permission to perform the requested action

• Okta Identity Engine (OIE)
• Okta Verify
• Android Devices
• iOS Devices
• Device Trust

This issue results from one of the following causes:

• Android Battery Optimization: On Android devices, the operating system puts the Okta Verify app to sleep to save battery, preventing it from running in the background.
• Screen Lock Requirements: The Okta Dashboard App Sign-on policy requires Possession factor constraints with Require user interaction, but the Screen lock confirmation setting is disabled in Okta Verify on the device.
• Network Restrictions: iCloud Private Relay (on iOS) or a VPN service blocks the connection.
• Insufficient Permissions: The user or administrator attempts to access an application or perform an action (such as an API call) without the necessary Role-Based Access Control (RBAC) permissions.

Adjusting Android Battery Optimization

To allow Okta Verify to run in the background on an Android device, adjust the battery settings to never sleep.

1. Open Settings on the Android device.
2. Navigate to Battery and device care > Battery > Background usage limits.
3. Add Okta Verify to the Never sleeping apps list.

Enabling Screen Lock Confirmation

To meet the possession factor constraints, enable the screen lock confirmation setting within the mobile application. 

1. Open the Okta Verify application on the mobile device.
2. Access the Settings menu within the application.
3. Enable the Screen lock confirmation setting.

Disabling Network Relays and VPNs

To prevent network relays or VPNs from blocking the connection, disable iCloud Private Relay or disconnect from the VPN.

1. On an iOS device, navigate to Settings > [User Name] > iCloud > Private Relay and select Turn off Private Relay.
2. Disconnect from any active VPNs or anonymizing services, then attempt the action again.

Verifying Admin RBAC Roles

To ensure the user has the correct RBAC permissions for the requested resource, verify the assigned roles in the Okta Admin Console.

1. In the Okta Admin Console, navigate to Security > Administrators.
2. Review the assigned roles of the user to ensure they have the required permissions for the requested resource. (For example, verifying that a Help Desk Admin is not attempting to manage a Super Admin account).