Privileged Custom Role

Administrator roles in Okta include role permissions that you can assign to custom roles. Some of these permissions are privileged and, if granted to unauthorized users, can pose serious security risks, including complete compromise of the Okta organization.

This Indicator of Exposure (IoE) detects custom roles that contain one or several of the following privileged permissions:

• okta.groups.manage: Includes okta.groups.members.manage
• okta.groups.members.manage: May enable privilege escalation by adding users to privileged groups in Okta or connected apps
• okta.users.credentials.expirePassword: Lets attackers "set a new temporary password" for a user
• okta.users.credentials.manage: Includes okta.users.credentials.expirePassword, okta.users.credentials.resetFactors and okta.users.credentials.resetPassword
• okta.users.credentials.resetFactors: Lets attackers "reset MFA authenticators," making it easier to take over a target account
• okta.users.credentials.resetPassword: Lets attackers "reset passwords for users"
• okta.users.manage: Lets attackers "create and manage users"

This is not necessarily a vulnerability. However, Tenable recommends reviewing the custom role and its assigned permissions to ensure they are necessary and appropriate. Follow the principle of least privilege to minimize potential security risks.

Review and monitor principals assigned to the privileged custom role. If compromised, an attacker could use their permissions to access the Okta organization using the permissions from this custom role.

Name: Privileged Custom Role

Codename: PRIVILEGED-CUSTOM-ROLE-OKTA

Severity: Low

Type: Okta Indicator of Exposure