Who has permission to get the roles of a user ID?

Hi there,

Can you tell me which users/roles have the permissions to list the roles of another user ID? Is it only the SUPER_ADMIN role that can do this?

I’m talking about this API call: https://developer.okta.com/docs/reference/api/roles/#list-roles-assigned-to-a-user


Group Admin can, if your user is in a specific group and the admin manages it. Also Org Admin, who has broader privileges, than Group Admin. Read Only admin can see the same.

What role does a user need to query the roles of a user in the Everyone group?

I just played around with this a bit and it looks like the SUPER ADMIN role is the only role that can make successful calls to the following APIs.

Get current user: https://developer.okta.com/docs/reference/api/users/#get-current-user
List roles assigned to a user: https://developer.okta.com/docs/reference/api/roles/#list-roles-assigned-to-a-user

Is that expected behavior? SUPER ADMIN seems like a highly privileged role to perform these actions :thinking:

Get Current User is most often used in CORS requests. When making the request via AJAX, the session cookie set by Okta in the browser once the user authenticates can be used to fetch information about this logged in user.

If you supply an API Token when making this request, the information you get back will be about the admin issued the token. Since a session cookie is being used, make sure you are not using a browser that blocks 3rd party cookies.

See if this works for you:

  1. In one tab, log directly into Okta as an end user
  2. In another tab in the same browser (again, using a browser that is not set to block 3rd party cookies/cross-site tracking), navigate to the endpoint: https://org.okta.com/api/v1/users/me

You should see a JSON response with information about the currently logged in user, no API token required!

As for the administrator roles, the only people that can Add, Modify, and View other administrators are Super Admins, as noted in this admin role chart.

Thanks for your comprehensive reply!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.