dse7i (dse7i) asked a question.
What is the "correct" way to create an Okta Administrative API Token for a user with a custom admin role?
I created a custom "read-only" admin role that has the following
User permissions
- View users and their details
Group permissions
- View groups and their details
I also created a source set of all users and groups in the org:
User resources
- All users in the organization
Group resources
- All groups in the organization
Then, I assigned this role and resource set to a user. I logged in as the user and through the UI, I can correctly see all users and groups in the directory. I can also view tokens at https:/<my okta domain>.com/admin/access/api/tokens. What I cannot do is create a new token. How should I do this?
As a workaround, I found I can elevate this user to the standard "Read-only Administrator" admin role, create the token, and then remove the role. This seems clunky.
Hello @dse7i (dse7i) Thank you for reaching out to our Community!
Depending on the level of Administrator, you have access to different type of actions and information within the Admin panel. Please also note that if you downgrade the level of admin you also downgrade the actions on an existing API token.
Please review our documentation on Administrators:
https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm
https://help.okta.com/en/prod/Content/Topics/Security/Administrators.htm
Hope this helps!
This is the way! (Although clunky, it works 👍 )