Okta Super Admins - Part 3: How to Identify Super Admin Activity
Event Types Exclusive to Okta Super Admins
Oktually is an observability platform for Okta. If you want help downgrading Okta admins, sign up now!
This is part 3 of a series on Okta Super Admins. Part 1 asked, ARE You Eligible for Okta Super Admin? Part 2 explained that, You Don’t Need So Many Super Admins.
Wouldn’t it be nice if Okta made it clear in the Event Log when a Super Org Admin has used their Super powers to make a change?† Yes, Oktually thinks it would be too!
Here is Oktually’s take on the events that will tell you who has been using their Super Admin authority, YMMV.
† This list is available from Okta support, but all of the events except user.account.privilege.grant can be triggered by non-Super Admins.
| # | Super Admin Permission | Event Type |
|---|---|---|
| 1 | Grant access to Okta Support | system.directory.debugger.grantsystem.directory.debugger.revoke |
| 2 | Manage sensitive attributes | app.saml.sensitive.attribute.update |
| 3 | Add, remove, and view administrators | user.account.privilege.grantuser.account.privilege.revokegroup.privilege.grantgroup.privilege.revoke |
| 4 | Edit default email settings for other admins | iam.role.subscriptions.update* |
| 5 | Manage log streaming | system.log_stream.lifecycle.activatesystem.log_stream.lifecycle.createsystem.log_stream.lifecycle.deactivatesystem.log_stream.lifecycle.deletesystem.log_stream.lifecycle.update |
| 6 | View import monitoring | Unknown |
| 7 | Add users to a group with assigned admin privileges | Included in #3 |
| 8 | Assign admin privileges to a group | Also included in #3 |
| 9 | Create and configure hooks | event_hook.activatedevent_hook.createdevent_hook.deactivatedevent_hook.deletedevent_hook.updatedinline_hook.activatedinline_hook.createdinline_hook.deactivatedinline_hook.deletedsystem.hook.key.createdsystem.hook.key.deletedsystem.hook.key.updated |
| 10 | Add/update/delete user profile policies | policy.rule.activate**policy.rule.add**policy.rule.deactivate**policy.rule.delete**policy.rule.invalidate**policy.rule.update** |
| 11 | Drag and drop policies for prioritization | As mentioned in part 2, it seems this doesn’t require Super Admin |
| 12 | Edit MFA authenticators in policies | Same as #11 |
| 13 | Enable MFA for the Admin Dashboard | Not relevant since August 2024 |
* Not in the standard Event List
** With a policy type of Okta:ProfileEnrollment
Join us in part 4 to find out about The Okta Admin Downgrade Path!