> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Okta_CustomRole > A custom role in Okta created by an administrator Applies to BloodHound Enterprise and CE ## Overview Custom roles can be created with specific [permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions/) and then assigned to [users](/opengraph/extensions/okta/nodes/okta_user), [groups](/opengraph/extensions/okta/nodes/okta_group), and [applications](/opengraph/extensions/okta/nodes/okta_application) over [resource sets](/opengraph/extensions/okta/nodes/okta_resourceset). [Complex conditions](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/permission-conditions.htm) can be used if the custom admin role has one of the following permissions: * okta.users.read * okta.users.manage * okta.users.create Custom roles are represented as Okta\_CustomRole and [Okta\_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes, similar to built-in roles. ## Edges The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions. ### Inbound Edges | Edge Type | Source Node Types | Traversable | | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | [Okta\_Contains](/opengraph/extensions/okta/edges/okta_contains) | [Okta\_Organization](/opengraph/extensions/okta/nodes/okta_organization) | ✅ | | [Okta\_HasRole](/opengraph/extensions/okta/edges/okta_hasrole) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) | ❌ | ### Outbound Edges No outbound edges are defined by the Okta extension for this node. ## Properties | Name | Source | Type | Description | | ------------- | --------------------------- | ---------- | ------------------------------------------------------------ | | `id` | `role.id` | `string` | Unique custom role identifier. | | `name` | `role.label` | `string` | Name of the custom role. | | `displayName` | `role.label` | `string` | Display label used in BloodHound. | | `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the custom role exists. | | `permissions` | `role.permissions` | `string[]` | Effective permission labels associated with the custom role. | | `created` | `role.created` | `datetime` | Custom role creation timestamp. | | `lastUpdated` | `role.lastUpdated` | `datetime` | Last update timestamp of the role definition. | ## Sample Property Values ```yaml theme={null} id: cr0wwdjuk0w96MpFr697 name: IAM Readers displayName: IAM Readers oktaDomain: contoso.okta.com created: 2025-10-29T12:45:55+00:00 lastUpdated: 2025-10-30T13:35:36+00:00 permissions: - okta.iam.read ``` ## Abusable Permissions of Custom Roles in Okta The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios: * okta.users.manage * okta.users.credentials.manage * okta.users.credentials.resetFactors * okta.users.credentials.resetPassword * okta.users.credentials.expirePassword * okta.users.credentials.manageTemporaryAccessCode * okta.groups.manage * okta.groups.members.manage * okta.apps.manage * okta.apps.clientCredentials.read The research on abusable Okta permissions is still ongoing.