00u1agbd0w8mntgPJ1d1.5351321368124998E12 (Customer) asked a question.
Is it possible to customize admin levels in order to reduce risk?
For example - Could an admin role be created that allows only app provisioning and token resets? Is it possible to get more granular and allow only certain apps to be provisioned by this admin account?
Business Case - Risk would like to reduce the number of "global admins" for lack of a better term. I want to balance the risk out and still allow IT support to fully assist end users.
Business Case * 2 - We have a Workday integration and there is concern that team members could change the SSO login to an incorrect team member and see their beneficiaries and other personal data. If I could remove Workday application assignment to a few admins, that would ease their concern.
Update - I see an application admin that can perform this role. However, when I added a user to application admin, they lost Help Desk admin. I then added both of them at the same time after removing App Admin.
I think I am close. Is there a way to allow assignment to all applications except a few? For example, I could remove the assignment capability for the Workday integration. This would address the Risk department concerns.
This was the response I received from Okta Support.
Unfortunately, at this moment, there is no such feature, however I recommend you to create a feature request in our community forums. When you’re in Okta Admin portal > Help & Support > Go to Ideas and submit this in your own words. This is the model going forward to empower Okta admin to make requests, and to solicit input from the community who also share your desire for this enhancement, not to mention it can be tracked while going forward. I hope this information will be of help.