Mapping between OAuth scopes and built-in roles

MichaelG · November 7, 2025, 11:21am

Hello, I wonder if there is any documentation on mappings between OAuth 2.0 scopes granted to Service applications and the required built-in role assignments.

Examples:

Which built-in roles have the okta.users.read permission? (Read-Only Admins, Help Desk Admins etc.)
Which built-in roles have the okta.appGrants.read permission? (Apparently only Super Admins, but it is undocumented.)

The Administrator roles and permissions documentation is incomplete and does not contain any mappings onto the OAuth scopes.

This problem does not affect custom roles, which expose the exact list of assigned scopes through the management API. I would appreciate having a similar feature available for the built-in roles.

system · December 7, 2025, 11:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
How to get user role during OIDC OAuth flow OAuth/OIDC	7	731	August 17, 2024
Why okta api scopes must be granted for a service app API	1	58	March 8, 2025
Can we group Scopes/Permissions? Questions	2	3498	January 24, 2024
Application services admin roles via API OAuth/OIDC	3	35	June 27, 2025
Roles/Authorities API	10	1870	December 22, 2023

Mapping between OAuth scopes and built-in roles

Related topics