Is there a way to allow our help desk to view and modify "Next tokencode" and "Clear failed attempts" without giving them administrative control using the Administrative Roles. and which function/area to give them permission.
In order to logon to the Security Console, a user needs some Administrative role or their session will be terminated as soon as they authenticate successfully to the Security console, so what you need is some kind of minimal Help Desk Admin Role.
When you edit or create a new Admin role, the General Tab is where you manage what this role can do to Users,
And the Authentication Tab is where you can configure what this role is allowed to do to Tokens
I think some combination of allowing edit or maybe just view of a User and / or Edit Token with just the minimal permissions might get what you are seeking. I did not see manage next token code specifically, but re-synchronize token might be needed along with manage incorrect Passcode count.
It's possible you could deny all User control to this role (not even View on General Tab), and force the Help Desk Admin to only have access to the Token by Serial Number, basically the stuff on the Authentication Tab.
The Roles are additive, so if you only want to add these permissions to a few admins who already have a help desk Role, you can create a new Role with just these permissions and add that Role to the admins you want to boost.
Retrieving data ...