Required Permissions
Create an Okta account with privileges to manage the Okta accounts you want to aggregate. Okta provides different levels of permission that provide create, update, and delete account capability.
Review the permission model below and create your account accordingly. Generate the Okta API token with this account that can be used for authentication. For example, you can create an account with Super Admin/Org Admin/Group Admin permissions.
|
Connector Operation |
Super Admin |
Org Admin |
Group Admin |
App Admin |
Read-only Admin |
Help-desk Admin |
|---|---|---|---|---|---|---|
| Test Connection | Yes | Yes | Yes | Yes | Yes | Yes |
| Aggregate Standard Attributes | Yes | Yes | Yes | Yes | Yes | Yes |
| Aggregate Groups Attribute | Yes | Yes | No | Yes | Yes | No |
| Aggregate Roles Attribute | Yes | No | No | No | No | No |
| Aggregate Factors Attribute | Yes | Yes | Yes | No | Yes | Yes |
| Aggregation of Custom Roles | Yes | No | No | No | No | No |
| Aggregation of Applications | Yes | No | No | Yes | Yes | No |
| Delta Aggregation | Yes | Yes | No | Yes | Yes | No |
|
Create Users |
Yes |
Yes |
Yes |
No |
No |
No |
| Enable/Disable Users | Yes | Yes | Yes | No | No | No |
| Unlock Accounts | Yes | Yes | Yes | No | No | Yes |
| Password Resets/Change password | Yes | Yes | Yes | No | No | No |
|
Pass-through Authentication |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| Management of APP Target and APP Instance Target for APP_ADMIN Role | Yes | No | No | No | No | No |
| Management of Group Target for HELP_DESK_ADMIN Role | Yes | No | No | No | No | No |
| Add/Remove Groups | Yes | Yes | No | No | No | No |
| Add/Remove Applications |
Yes |
No |
No |
Yes |
No |
No |
| Add/Remove Roles |
Yes |
No |
No |
No |
No |
No |
|
Create/Update/Delete group |
Yes |
Yes |
No |
No |
No |
No |
| Scopes | |
|---|---|
| Mandatory Scopes | okta.logs.read okta.users.manage okta.groups.manage |
| Additional Scopes to Manage the roles | okta.roles.manage |
| Additional Scopes to Manage factors | okta.factors.manage |
| Additional Scopes to Manage applications | okta.apps.manage |
Activity Insights
An administrator requires the following additional permissions to utilize the Activity Insights:
|
Scope |
Description |
|---|---|
|
okta.apps.read |
Allows read-only access to application in your Okta organization. |
|
okta.groups.read |
Allows read-only access to group information in your Okta organization. |
|
okta.logs.read |
Allows read-only access to system log in your Okta organization. |
|
okta.users.read |
Allows read-only access to existing user profile information in your Okta organization. |
For more information on configuring Activity Insights, refer to Activity Insights Settings.