JasonA.21559 (Customer) asked a question.
By default, a helpdesk admin can reset the password and factors for a super admin and in essence, hijack the account.
Worse, a bad actor can use social engineering to get a helpdesk agent to reset the pass/factors.
Okta's solution is to scope a group that does NOT contain super admins and then restrict the role to that group. That does solve that problem BUT an org admin role can't be constrained. So in theory, an org admin can still hijack a higher privilege account.
I even went so far as to add all my admins to a group and create a custom admin role (with useless permissions) and then assigned the role to the group. Why? Because any group that grants an admin role can only be modified by a superadmin. So at least there Okta saw fit to 'protect' admins. I made a group rule that said 'everyone BUT members of that admin group'. I used the new group to scope/restrict helpdesk admins.
This should not be. This can't be a good design right? Is there another workaround?
This was brought up as an idea/feature request 3 years ago but it got no traction.
I just submitted a new/updated idea: https://ideas.okta.com/app/#/case/187531
Please upvote if i'm correct and/or let me know if there's a better way to block access to super admin accounts.
Hi @JasonA.21559 (Customer) , Thank you for reaching out to the Okta Community and thank you for raising awareness!
You are on the right track with the solutions you have implemented.
Assuming you have not already seen this security report, you can also review the advice provided there on the subject.
P.S. - Please note that I had to edit your Ideas link as it was not working, it think is was a copy-paste issue there. Should be good now.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Follow us at OktaSupport