Four Benefits of Okta’s New Custom Admin Roles

Organizations across every industry are facilitating an exponential rise in new app creation and usage. This increase is making centralized access management increasingly costly and complex. Okta has always featured specific admin roles to meet these needs, spanning from “mobile admin” and “report admin” roles, to the global “Okta super admin”. While these roles still serve their intended purpose, the way one organization uses them may be very different from another. In fact, a “one size fits all” approach can leave admins with under-provisioned access, or worse, overprovisioned permissions, leading to a more permissive security posture. To address this evolving and complex landscape, we’re happy to introduce custom admin roles, a new way to apply a least-privileged approach to administration that fits each unique organizational structure.

Custom admin roles can be used to create granular roles for admins to manage users, groups, and applications. It provides the flexibility to meet a broad set of use cases while ensuring each admin has just the right level of access they require.  

5Xm3w74HaYvqO5mxf5JTSOMn235s e44tzi2JsgZpjC5b5FcvKHUynsyiL94 GrjaD3bfmt0rGAhqLwEmKoJ1kftqfEfLcRj gDEhvkKWHKN2GTul7H1cTes5hAWsX7ARpOZ4eEj=s0

Beyond just defining what permissions an admin should have, custom admin roles allow you to constrain those permissions to a subset of the resources in an org, such as a group of users or a suite of apps. This allows for the kind of customization where certain admins may only manage marketing-related apps, while another is restricted to managing only engineering-related apps.

Four benefits, to name a few

This level of flexibility can be used to address many delegated administration needs. Custom admin roles have the power to improve your administration experience with Okta today. Read on to learn the four key benefits of using custom admin roles:

  1. Decrease costs and increase productivity by allowing Okta Super Admins to delegate admin tasks to other users, reducing the need for dedicated IT staff, freeing them to focus on higher-impact tasks. Do this by re-assigning an admin to a lower-privileged standard role, then adding just the additional permissions they need to do their job. This reduces the tradeoff many admins currently make between granting a user too many privileges, versus taking on the additional responsibilities themselves.
  2. Reduce risk and decentralize the span of administration by decreasing the scope of access a single admin may have. For example, you can separate helpdesk admins who can provide MFA resets from those who cannot by assigning permissions like edit users’ authenticator operations. This reduces, and in some cases eliminates, the risk of an internal bad actor performing an account takeover. 
  3. Grant further autonomy to business units by allowing them to self-manage groups and application access for users in their business unit. This is a powerful capability that custom admin roles unlock. You can now define, not only which groups an admin can add users to, but also a subset of users they’re restricted to viewing and adding to groups. This is true for both group and application assignments.
  4. Meet audit needs by allowing auditors to access crucial information they need directly. With granular read access to just users and applications, auditors receive only the access they require, reducing the burden on a Super Admin to supply the data manually.

Customer spotlight: Zoom 

Zoom had a need to limit the actions of their Support admins to managing lifecycle state changes for their contractor workers—and no others. Okta’s custom admin roles allowed for the kind of granularity required to make this a safe and easy-to-implement restriction.  

“Security is of utmost importance to us, and that extends from all of our customers on the Zoom platform to our internal access controls. Custom admin roles help to secure user data with admins that can only perform some user management tasks, not all. Additionally, the new reports allow us to regularly audit all admin access, further establishing this security.” —Gary Chan, Head of IT Infrastructure and Employee Services, Zoom

But there's more innovation to come

Not only are custom admins roles a powerful new feature for IT admins today, but it’s also built with the future in mind. It’s been built as a platform, set to scale with the needs of any and all Okta customers. Here are three more unique capabilities we will be unlocking in the near future. 

  1. Delegated administration expansion to additional teams. Although other teams such as HR are stakeholders in the identity of employees, Okta administration is typically restricted to IT staff. Custom admin roles will allow HR to become Okta admins. With these expanded role capabilities, HR will be able to run and validate users from an HRaaS import. We’ll do this by continuing to expand on the types of permissions available, such as running imports and managing authorization servers. We’ll also be getting even more granular on user lifecycle state changes such that one admin can only activate users, while another can only deactivate them.
  2. Increase the power of Okta Workflows by allowing any user in your organization to run specified workflow(s). We’re enabling this by expanding the custom admin roles framework into Okta Workflows, setting the stage for granular access to additional Okta products in the near future. 
  3. Secure your user’s data further by restricting admin access to specific profile attributes.  We’re building out a conditionals framework that will allow you to define which user profile attributes an admin can and cannot view or modify. This is useful for locking down personal identifier information (PII) data that may not be relevant to certain admins based on their role. For example, an admin responsible for updating a user’s “Manager” field doesn’t need access to view or edit a user’s birthday or home address.

Custom admin roles unlock the full potential of delegated administration, saving you time and money with the ability to delegate various admin tasks to other admins, business units, or agencies. And we’re not stopping there—the future of custom admins roles expands across the entire Okta platform. Check out this video see custom admin roles in action!