Okta unveils Custom Administrator Permissions for Identity Risk Management with artificial intelligence by Okta
Announcing Enhanced Administrator Controls in Okta's Identity Threat Protection
Okta, a leading identity and mobility management company, has introduced an update to its Identity Threat Protection (ITP) product, offering extended functionality for custom admin roles. This update aims to strengthen security measures, particularly for privileged accounts such as Super Admins, within the Adaptive Multi-Factor Authentication (Adaptive MFA) framework.
In this new setup, custom admin roles allow for more granular control over administrative permissions. A role defines what a user can do (operations), and a resource set defines what that role can operate on (data). This approach provides a robust system for role-based access control, enforcing the principle of least privilege.
With the introduction of custom admin roles, administrators can now perform a variety of operations, including deactivating and suspending users, clearing user sessions, managing user risk, viewing groups, viewing applications, and managing Shared Signals Framework (SSF) receiver streams, among others. These permissions can be scoped to specific applications, users (by group), workflows, policies, and groups through resource sets.
The update also includes new resource types, such as SSF receiver streams and logout configurations, to expand the scope of administrative functions. However, it's important to note that this update does not allow the configuration of Universal Logout for an app.
Okta's approach to custom admin roles involves strict role-based access controls to enforce least-privilege access, automated management of credentials, and integration with adaptive security controls. This underpins and complements the ITP capabilities, offering enhanced visibility and protection against identity threat vectors related to privileged access misuse.
The extended functionality primarily focuses on advanced identity threat detections for custom admin roles, especially Super Admins, integrated with Adaptive MFA. This helps reinforce security by monitoring and protecting administrator activities specifically, although broader ITP features like Universal Logout and extended Risk Policy Engine capabilities are not included in this scope.
Okta recommends organisations to take advantage of these custom admin roles to tailor permissions precisely, thus reducing risk. The ITP with Okta AI detections enhance protection for these custom roles by detecting potential identity threats targeting highly privileged users, aiding in preventing account compromise or misuse.
For a comparison of role permissions for different admin roles, please refer to the product documentation.
This article is part of the Okta Secure Identity Product Blog Series, written by David Edwards, a product specialist with the Okta Product Acceleration Team. Identity Threat Protection with Okta AI is a product within Okta Workforce Identity.
[1] Okta Documentation - Custom Admin Roles in Identity Threat Protection [2] Okta Documentation - Custom Admin Roles Overview
- Okta's Identity Threat Protection update for custom admin roles offers increased security by permitting administrators to manage identity access, including deactivating and suspending users, clearing user sessions, and managing user risk, all within the framework of Adaptive Multi-Factor Authentication (Adaptive MFA).
- When implementing custom admin roles, Okta's approach involves the integration of Okta technology with adaptive security controls, providing enhanced visibility and protection against identity threats related to privileged access misuse.
- The updated Oktaproduct now includes new resource types such as SSF receiver streams and logout configurations, expanding the scope of administrative functions while still maintaining the principle of least privilege in access management.
- To effectively tailor permissions for various admin roles and reduce risk, Okta urges organizations to refer to the product documentation, which compares role permissions for different admin roles within Okta Workforce Identity, particularly for Identity Threat Protection with Okta AI.
