@MichaelaD.59436 (Customer)​ -- So not really.

To confirm: The action you are referring to is the More Actions > Clear Users Sessions functionality in the Admin UI.

This calls the Users API to perform a Delete method request:

https://developer.okta.com/docs/reference/api/users/#user-sessions

What this means is you have to have authn to perform the action and a regular user isn't ever going to have permissions directly to endpoints to perform administrative tasks.

You could potentially get creative assuming you have Okta Workflows.

You could do something like a "Slack" Slash command that sends to an Okta Workflow that validates its one of the "allowed users" and then performs the API call.

Or even just provide a URL to a Workflow's API endpoint that contains a query string that could be parsed and only works if its one of the users you want to reset.

https://mydomain.workflows.okta.com/api/flo/ba1f1d18d5454545455bbe9f8e3d/invoke?user=example.user@mydomain.com

This will show up as a payload:

{

"user": "example.user@mydomain.com"

}

That could be used to verify its the correct user and then run an API call to reset their sessions.

Even better would be some sort of random value that you generate and give a unique one to each of the users. So like:

https://mydomain.workflows.okta.com/api/flo/ba1f1d18d5454545455bbe9f8e3d/invoke?value=abc123

To one user and

https://mydomain.workflows.okta.com/api/flo/ba1f1d18d5454545455bbe9f8e3d/invoke?value=zyx654

To the other user.

Then in the flow you just feed the extracted values from the payload to a lookup table. If it matches one of the allowed values it then proceeds to do the session reset for that user. If it doesn't match it does nothing. Since they are both unique (unguessable) values then User 1 won't know how to reset User 2.

@MichaelaD.59436 (Customer)​  -- Just following up with this one. I had a little time today so I threw together an example Workflows flopack for what I described.

Contains 2 flows + 1 table. It currently doesn't take any actions and uses Gmail to send the "reset" link to the user. But it is easy enough to modify to take a specific (or series of actions).

Note: The idea behind this is strictly for "testing" type purposes where as you described you have non-admin test users that need to perform an admin only task(s) but ONLY against their own specific "testing" account. By design this will not allow them to take any specific actions only invoke a flow that can take pre-defined actions assuming they passed in a valid UUID.

To use:

1. Download Attached file
2. Create a folder in Workflows and import the file
3. Enable both flows
4. Open the flow apiEndpointToPerformAction then click the </> Icon on the API Endpoint card and copy the Invoke URL
5. Open the generateUserForAccess flow.
6. Update the assign cards values (email and the api url)
7. Run the generateUserForAccess flow which will create a user in the table AND send an email using Gmail
8. Open the received email
9. Click the "Clear Sessions" link
10. Review the flow execution history on the apiEndpointToPerformAction flow.