Okta Super Admins - Part 2: You Don't Need So Many Okta Super Admins

How many super admins do you need? Fewer than you might think!

Friday, June 06, 2025

Oktually is an observability platform for Okta. If you want help downgrading Okta admins, sign up now!

This is part 2 of a series on Okta Super Admins. Part 1 asked, ARE You Eligible for Okta Super Admin?.

Fear Driven Admin Assignment

If you’ve followed the philosophy of Alignment, Responsibility and Experience (ARE), it’s likely you’ve got a small group of eligibile users for Super Admin access.

However, it can still feel uncomfortable to you or your managers to only assign a few Super Admins (we’ll get to some lower limits later) — this is often driven by fear, when we should be promoting knowledge.

More Supers Won’t Help You

It might seem tempting to spread Super around, “just in case”, but when nobody can sign into the internal app supporting your Customer Care team, it’s guaranteed 18 of the 20 Super admins you’ve assigned will not be able to fix the issue.

The two that can will be the one who made the change and the one who knows Okta’s sign in flow inside out.

Even more importantly, fixing this issue doesn’t require a Super Admin, a combination of Org & App admin would likely have worked. You still don’t want to give these away to anyone, but at least those roles significantly reduce the risk of complete compromise.

Friction is OK

When a Super Admin’s powers are genuinely needed, you want there to be some friction in getting hold of them.

A small number of highly qualified Supers allows you to keep tabs on Super-level changes happening in Okta. Your Supers will also be best placed to understand if what’s being asked for is needed & wise, when considering it against the wider plan for operating Okta.

Delegating out some admin permissions to other teams so they can operate independently is important, but delegating out Super to “unblock” someone is almost always the wrong move.

Knowledge Driven Admin Assignment

The antidote to fear motivating the unchecked spread of Supers in your Okta tenant, is knowledge.

Every Super Admin Needs To Read the Docs

If you’re being trusted with Okta Super Admin, you absolutely need to bookmark and refer to Okta’s Standard Administrator Roles whenever the question of admin delegation comes up. Yes, custom admin roles exist, but when it comes to general delegation the standard roles will be a lot easier to reason about.

In June 2025, the stanard admin roles tables list 103 different permissions an Okta admin can have (not including EA features). Of these, just 13 are exclusive to Okta Super Admins.

#	Super Admin Permission	Comment
1	`Grant access to Okta Support`	Unlikely to be an everyday task
2	`Manage sensitive attributes`	Unlikely to be an everyday task
3	`Add, remove, and view administrators`	Viewing can be granted in a custom role, if really needed (like Oktually uses!)
4	`Edit default email settings for other admins`	Not likely to be an everyday task
5	`Manage log streaming`	Generally set it and forget it
6	`View import monitoring`	`Run Imports` can be granted in a custom role
7	`Add users to a group with assigned admin privileges`	Included in #3
8	`Assign admin privileges to a group`	Also included in #3
9	`Create and configure hooks`	Unlikely to be an everyday task
10	`Add/update/delete user profile policies`	Generally set & forget
11	`Drag and drop policies for prioritization`	This appears inaccurate, an admin with `Org` & `App` in a test tenant is able to add/remove authentication & sign-on policies and prioritize them through drag and drop
12	`Edit MFA authenticators in policies`	This appears inaccurate, an admin with `Org` & `App` in a test tenant is able to add/remove authenticators and edit authentication policies
13	`Enable MFA for the Admin Dashboard`	Single factor authentication to the admin console hasn’t been supported since August 2024. This permission is a hangover from before then

#3, #7 and #8 should really be counted as one permission and the issues with #11, #12 and #13 mean overall there’s more like 8 permissions exclusive to Super.

Many of the rest are likely to be rarely required, the main thing Supers can do that might be required more frequently is granting other people admin permissions.

Easy Come, Easy Go

After looking at the data, if you are finding yourself being strong armed into delegating Super elsewhere; remember that the key to granting any access freely is an understanding that revocation also happens easily.

You can grant someone else Super and then use the event types listed in part 3 of this series to see whether they’re actually using that access.

Lower Limits for Safety

Finally, what’s the lowest number of Okta Super Admins you should have? Oktually recommends a lower limit loosely scaled to the number of users in Okta.

These aren’t hard and fast targets, but do recognise the need to have more admin coverage (possibly in different timezones) as your user base grows. You’d also expect the number of people who are eligible through ARE to grow as the company does too.

Okta Users	Minimum Super Admins
< 750	2
751 - 2000	3
2001+	4