Skip to main content

Documentation Index

Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise and CE

Overview

Custom roles can be created with specific permissions and then assigned to users, groups, and applications over resource sets. Complex conditions can be used if the custom admin role has one of the following permissions:
  • okta.users.read
  • okta.users.manage
  • okta.users.create
Custom roles are represented as Okta_CustomRole and Okta_RoleAssignment nodes, similar to built-in roles.

Edges

The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Edge TypeSource Node TypesTraversable
Okta_ContainsOkta_Organization
Okta_HasRoleOkta_User, Okta_Group, Okta_Application

Outbound Edges

No outbound edges are defined by the Okta extension for this node.

Properties

NameSourceTypeDescription
idrole.idstringUnique custom role identifier.
namerole.labelstringName of the custom role.
displayNamerole.labelstringDisplay label used in BloodHound.
oktaDomainCollector context (non-API)stringOkta organization domain where the custom role exists.
permissionsrole.permissionsstring[]Effective permission labels associated with the custom role.
createdrole.createddatetimeCustom role creation timestamp.
lastUpdatedrole.lastUpdateddatetimeLast update timestamp of the role definition.

Sample Property Values

id: cr0wwdjuk0w96MpFr697
name: IAM Readers
displayName: IAM Readers
oktaDomain: contoso.okta.com
created: 2025-10-29T12:45:55+00:00
lastUpdated: 2025-10-30T13:35:36+00:00
permissions:
  - okta.iam.read

Abusable Permissions of Custom Roles in Okta

The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios:
  • okta.users.manage
  • okta.users.credentials.manage
  • okta.users.credentials.resetFactors
  • okta.users.credentials.resetPassword
  • okta.users.credentials.expirePassword
  • okta.users.credentials.manageTemporaryAccessCode
  • okta.groups.manage
  • okta.groups.members.manage
  • okta.apps.manage
  • okta.apps.clientCredentials.read
The research on abusable Okta permissions is still ongoing.