diff --git a/web/packages/design/src/index.ts b/web/packages/design/src/index.ts
index f5260ba2ac1c7..89c45fa08a326 100644
--- a/web/packages/design/src/index.ts
+++ b/web/packages/design/src/index.ts
@@ -34,7 +34,7 @@ import CardSuccess, { CardSuccessLogin } from './CardSuccess';
 import { Indicator } from './Indicator';
 import Input from './Input';
 import Label from './Label';
-import LabelInput from './LabelInput';
+import { LabelInput } from './LabelInput';
 import LabelState from './LabelState';
 import Link from './Link';
 import { Mark } from './Mark';
diff --git a/web/packages/teleport/src/Roles/RoleEditor/StandardEditor.tsx b/web/packages/teleport/src/Roles/RoleEditor/StandardEditor.tsx
index 46a53abf472b6..af9957505c8ea 100644
--- a/web/packages/teleport/src/Roles/RoleEditor/StandardEditor.tsx
+++ b/web/packages/teleport/src/Roles/RoleEditor/StandardEditor.tsx
@@ -24,6 +24,8 @@ import {
   Flex,
   H3,
   H4,
+  Input,
+  LabelInput,
   Mark,
   Text,
 } from 'design';
@@ -46,6 +48,10 @@ import {
 } from 'shared/components/FieldSelect';
 import { SlideTabs } from 'design/SlideTabs';
 
+import { RadioGroup } from 'design/RadioGroup';
+
+import Select from 'shared/components/Select';
+
 import { Role, RoleWithYaml } from 'teleport/services/resources';
 import { LabelsInput } from 'teleport/components/LabelsInput';
 
@@ -73,6 +79,9 @@ import {
   resourceKindOptions,
   verbOptions,
   newRuleModel,
+  OptionsModel,
+  requireMFATypeOptions,
+  createHostUserModeOptions,
 } from './standardmodel';
 import {
   validateRoleEditorModel,
@@ -200,6 +209,13 @@ export const StandardEditor = ({
     });
   }
 
+  function setOptions(options: OptionsModel) {
+    handleChange({
+      ...standardEditorModel,
+      options,
+    });
+  }
+
   return (
     <Validation>
       {({ validator }) => (
@@ -337,6 +353,18 @@ export const StandardEditor = ({
                 validation={validation.rules}
               />
             </div>
+            <div
+              id={optionsTabId}
+              style={{
+                display: currentTab === StandardEditorTab.Options ? '' : 'none',
+              }}
+            >
+              <Options
+                isProcessing={isProcessing}
+                value={roleModel.options}
+                onChange={setOptions}
+              />
+            </div>
           </EditorWrapper>
           <EditorSaveCancelButton
             onSave={() => handleSave(validator)}
@@ -996,6 +1024,188 @@ function AdminRule({
   );
 }
 
+function Options({
+  value,
+  isProcessing,
+  onChange,
+}: SectionProps<OptionsModel, never>) {
+  const theme = useTheme();
+  const id = useId();
+  const maxSessionTTLId = `${id}-max-session-ttl`;
+  const clientIdleTimeoutId = `${id}-client-idle-timeout`;
+  const requireMFATypeId = `${id}-require-mfa-type`;
+  const createHostUserModeId = `${id}-create-host-user-mode`;
+  return (
+    <Box
+      border={1}
+      borderColor={theme.colors.interactive.tonal.neutral[0]}
+      borderRadius={3}
+      p={3}
+      css={`
+        display: grid;
+        grid-template-columns: 1fr 1fr;
+        align-items: baseline;
+        row-gap: ${theme.space[3]}px;
+      `}
+    >
+      <H4
+        css={`
+          grid-column: 1/3;
+        `}
+      >
+        Global Settings
+      </H4>
+
+      <OptionLabel htmlFor={maxSessionTTLId}>Max Session TTL</OptionLabel>
+      <Input
+        id={maxSessionTTLId}
+        value={value.maxSessionTTL}
+        disabled={isProcessing}
+        onChange={e => onChange({ ...value, maxSessionTTL: e.target.value })}
+      />
+
+      <OptionLabel htmlFor={clientIdleTimeoutId}>
+        Client Idle Timeout
+      </OptionLabel>
+      <Input
+        id={clientIdleTimeoutId}
+        value={value.clientIdleTimeout}
+        disabled={isProcessing}
+        onChange={e =>
+          onChange({ ...value, clientIdleTimeout: e.target.value })
+        }
+      />
+
+      <div>Disconnect When Certificate Expires</div>
+      <BoolRadioGroup
+        name="disconnect-expired-cert"
+        value={value.disconnectExpiredCert}
+        onChange={d => onChange({ ...value, disconnectExpiredCert: d })}
+      />
+
+      <OptionLabel htmlFor={requireMFATypeId}>Require Session MFA</OptionLabel>
+      <Select
+        inputId={requireMFATypeId}
+        isDisabled={isProcessing}
+        options={requireMFATypeOptions}
+        value={value.requireMFAType}
+        onChange={t => onChange?.({ ...value, requireMFAType: t })}
+      />
+
+      <H4
+        css={`
+          grid-column: 1/3;
+          border-top: ${theme.borders[1]}
+            ${theme.colors.interactive.tonal.neutral[0]};
+          padding-top: ${theme.space[3]}px;
+        `}
+      >
+        SSH
+      </H4>
+
+      <OptionLabel htmlFor={createHostUserModeId}>
+        Create Host User Mode
+      </OptionLabel>
+      <Select
+        inputId={createHostUserModeId}
+        isDisabled={isProcessing}
+        options={createHostUserModeOptions}
+        value={value.createHostUserMode}
+        onChange={m => onChange?.({ ...value, createHostUserMode: m })}
+      />
+
+      <H4
+        css={`
+          grid-column: 1/3;
+          border-top: ${theme.borders[1]}
+            ${theme.colors.interactive.tonal.neutral[0]};
+          padding-top: ${theme.space[3]}px;
+        `}
+      >
+        Database
+      </H4>
+
+      <div>Create Database User</div>
+      <BoolRadioGroup
+        name="create-db-user"
+        value={value.createDBUser}
+        onChange={c => onChange({ ...value, createDBUser: c })}
+      />
+
+      {/* TODO(bl-nero): a bug in YAML unmarshalling backend breaks this option. Fix it. */}
+      {/* <OptionLabel htmlFor={createDBUserModeId}>
+        Create Database User Mode
+      </OptionLabel>
+      <Select
+        inputId={createDBUserModeId}
+        isDisabled={isProcessing}
+        options={createDBUserModeOptions}
+        value={value.createDBUserMode}
+        onChange={m => onChange?.({ ...value, createDBUserMode: m })}
+      /> */}
+
+      <H4
+        css={`
+          grid-column: 1/3;
+          border-top: ${theme.borders[1]}
+            ${theme.colors.interactive.tonal.neutral[0]};
+          padding-top: ${theme.space[3]}px;
+        `}
+      >
+        Desktop
+      </H4>
+
+      <div>Create Desktop User</div>
+      <BoolRadioGroup
+        name="create-desktop-user"
+        value={value.createDesktopUser}
+        onChange={c => onChange({ ...value, createDesktopUser: c })}
+      />
+
+      <div>Allow Clipboard Sharing</div>
+      <BoolRadioGroup
+        name="desktop-clipboard"
+        value={value.desktopClipboard}
+        onChange={c => onChange({ ...value, desktopClipboard: c })}
+      />
+
+      <div>Allow Directory Sharing</div>
+      <BoolRadioGroup
+        name="desktop-directory-sharing"
+        value={value.desktopDirectorySharing}
+        onChange={s => onChange({ ...value, desktopDirectorySharing: s })}
+      />
+    </Box>
+  );
+}
+
+function BoolRadioGroup({
+  name,
+  value,
+  onChange,
+}: {
+  name: string;
+  value: boolean;
+  onChange(b: boolean): void;
+}) {
+  return (
+    <RadioGroup
+      name={name}
+      flexDirection="row"
+      options={[
+        { label: 'True', value: 'true' },
+        { label: 'False', value: 'false' },
+      ]}
+      value={String(value)}
+      onChange={d => onChange(d === 'true')}
+    />
+  );
+}
+
+const OptionLabel = styled(LabelInput)`
+  ${props => props.theme.typography.body2}
+`;
+
 export const EditorWrapper = styled(Box)<{ mute?: boolean }>`
   opacity: ${p => (p.mute ? 0.4 : 1)};
   pointer-events: ${p => (p.mute ? 'none' : '')};
diff --git a/web/packages/teleport/src/Roles/RoleEditor/standardmodel.test.ts b/web/packages/teleport/src/Roles/RoleEditor/standardmodel.test.ts
index 157eee00c85e3..5116cdc32c410 100644
--- a/web/packages/teleport/src/Roles/RoleEditor/standardmodel.test.ts
+++ b/web/packages/teleport/src/Roles/RoleEditor/standardmodel.test.ts
@@ -17,7 +17,10 @@
  */
 
 import {
+  CreateDBUserMode,
+  CreateHostUserMode,
   KubernetesResource,
+  RequireMFAType,
   ResourceKind,
   Role,
   Rule,
@@ -45,6 +48,27 @@ const minimalRoleModel = (): RoleEditorModel => ({
   accessSpecs: [],
   rules: [],
   requiresReset: false,
+  options: {
+    maxSessionTTL: '30h0m0s',
+    clientIdleTimeout: '',
+    disconnectExpiredCert: false,
+    requireMFAType: {
+      value: false,
+      label: 'No',
+    },
+    createHostUserMode: {
+      value: '',
+      label: 'Unspecified',
+    },
+    createDBUser: false,
+    createDBUserMode: {
+      value: '',
+      label: 'Unspecified',
+    },
+    desktopClipboard: true,
+    createDesktopUser: false,
+    desktopDirectorySharing: true,
+  },
 });
 
 // These tests make sure that role to model and model to role conversions are
@@ -207,6 +231,47 @@ describe.each<{ name: string; role: Role; model: RoleEditorModel }>([
       ],
     },
   },
+
+  {
+    name: 'Options object',
+    role: {
+      ...minimalRole(),
+      spec: {
+        ...minimalRole().spec,
+        options: {
+          ...minimalRole().spec.options,
+          max_session_ttl: '1h15m30s',
+          client_idle_timeout: '2h30m45s',
+          disconnect_expired_cert: true,
+          require_session_mfa: 'hardware_key',
+          create_host_user_mode: 'keep',
+          create_db_user: true,
+          create_db_user_mode: 'best_effort_drop',
+          desktop_clipboard: false,
+          create_desktop_user: true,
+          desktop_directory_sharing: false,
+        },
+      },
+    },
+    model: {
+      ...minimalRoleModel(),
+      options: {
+        maxSessionTTL: '1h15m30s',
+        clientIdleTimeout: '2h30m45s',
+        disconnectExpiredCert: true,
+        requireMFAType: { value: 'hardware_key', label: 'Hardware Key' },
+        createHostUserMode: { value: 'keep', label: 'Keep' },
+        createDBUser: true,
+        createDBUserMode: {
+          value: 'best_effort_drop',
+          label: 'Drop (best effort)',
+        },
+        desktopClipboard: false,
+        createDesktopUser: true,
+        desktopDirectorySharing: false,
+      },
+    },
+  },
 ])('$name', ({ role, model }) => {
   it('is converted to a model', () => {
     expect(roleToRoleEditorModel(role)).toEqual(model);
@@ -456,6 +521,69 @@ describe('roleToRoleEditorModel', () => {
         },
       } as Role,
     },
+
+    {
+      name: 'unsupported value in spec.options.require_session_mfa',
+      role: {
+        ...minRole,
+        spec: {
+          ...minRole.spec,
+          options: {
+            ...minRole.spec.options,
+            require_session_mfa: 'bogus' as RequireMFAType,
+          },
+        },
+      },
+      model: {
+        ...roleModelWithReset,
+        options: {
+          ...roleModelWithReset.options,
+          requireMFAType: { value: false, label: 'No' },
+        },
+      },
+    },
+
+    {
+      name: 'unsupported value in spec.options.create_host_user_mode',
+      role: {
+        ...minRole,
+        spec: {
+          ...minRole.spec,
+          options: {
+            ...minRole.spec.options,
+            create_host_user_mode: 'bogus' as CreateHostUserMode,
+          },
+        },
+      },
+      model: {
+        ...roleModelWithReset,
+        options: {
+          ...roleModelWithReset.options,
+          createHostUserMode: { value: '', label: 'Unspecified' },
+        },
+      },
+    },
+
+    {
+      name: 'unsupported value in spec.options.create_db_user_mode',
+      role: {
+        ...minRole,
+        spec: {
+          ...minRole.spec,
+          options: {
+            ...minRole.spec.options,
+            create_db_user_mode: 'bogus' as CreateDBUserMode,
+          },
+        },
+      },
+      model: {
+        ...roleModelWithReset,
+        options: {
+          ...roleModelWithReset.options,
+          createDBUserMode: { value: '', label: 'Unspecified' },
+        },
+      },
+    },
   ])(
     'requires reset because of $name',
     ({ role, model = roleModelWithReset }) => {
diff --git a/web/packages/teleport/src/Roles/RoleEditor/standardmodel.ts b/web/packages/teleport/src/Roles/RoleEditor/standardmodel.ts
index 75fdb18277263..6e389d9e088e9 100644
--- a/web/packages/teleport/src/Roles/RoleEditor/standardmodel.ts
+++ b/web/packages/teleport/src/Roles/RoleEditor/standardmodel.ts
@@ -27,9 +27,13 @@ import {
 } from 'teleport/services/resources';
 import { Label as UILabel } from 'teleport/components/LabelsInput/LabelsInput';
 import {
+  CreateDBUserMode,
+  CreateHostUserMode,
   KubernetesResourceKind,
   KubernetesVerb,
+  RequireMFAType,
   ResourceKind,
+  RoleOptions,
   Rule,
   Verb,
 } from 'teleport/services/resources/types';
@@ -53,6 +57,7 @@ export type RoleEditorModel = {
   metadata: MetadataModel;
   accessSpecs: AccessSpec[];
   rules: RuleModel[];
+  options: OptionsModel;
   /**
    * Indicates whether the current resource, as described by YAML, is
    * accurately represented by this editor model. If it's not, the user needs
@@ -251,6 +256,50 @@ export type RuleModel = {
   verbs: readonly VerbOption[];
 };
 
+export type OptionsModel = {
+  maxSessionTTL: string;
+  clientIdleTimeout: string;
+  disconnectExpiredCert: boolean;
+  requireMFAType: RequireMFATypeOption;
+  createHostUserMode: CreateHostUserModeOption;
+  createDBUser: boolean;
+  createDBUserMode: CreateDBUserModeOption;
+  desktopClipboard: boolean;
+  createDesktopUser: boolean;
+  desktopDirectorySharing: boolean;
+};
+
+type RequireMFATypeOption = Option<RequireMFAType>;
+export const requireMFATypeOptions: RequireMFATypeOption[] = [
+  { value: false, label: 'No' },
+  { value: true, label: 'Yes' },
+  { value: 'hardware_key', label: 'Hardware Key' },
+  { value: 'hardware_key_touch', label: 'Hardware Key (touch)' },
+  {
+    value: 'hardware_key_touch_and_pin',
+    label: 'Hardware Key (touch and PIN)',
+  },
+];
+const requireMFATypeOptionsMap = optionsToMap(requireMFATypeOptions);
+
+type CreateHostUserModeOption = Option<CreateHostUserMode>;
+export const createHostUserModeOptions: CreateHostUserModeOption[] = [
+  { value: '', label: 'Unspecified' },
+  { value: 'off', label: 'Off' },
+  { value: 'keep', label: 'Keep' },
+  { value: 'insecure-drop', label: 'Drop (insecure)' },
+];
+const createHostUserModeOptionsMap = optionsToMap(createHostUserModeOptions);
+
+type CreateDBUserModeOption = Option<CreateDBUserMode>;
+export const createDBUserModeOptions: CreateDBUserModeOption[] = [
+  { value: '', label: 'Unspecified' },
+  { value: 'off', label: 'Off' },
+  { value: 'keep', label: 'Keep' },
+  { value: 'best_effort_drop', label: 'Drop (best effort)' },
+];
+const createDBUserModeOptionsMap = optionsToMap(createDBUserModeOptions);
+
 const roleVersion = 'v7';
 
 /**
@@ -341,6 +390,8 @@ export function roleToRoleEditorModel(
     rules,
     requiresReset: allowRequiresReset,
   } = roleConditionsToModel(allow);
+  const { model: optionsModel, requiresReset: optionsRequireReset } =
+    optionsToModel(options);
 
   return {
     metadata: {
@@ -350,17 +401,13 @@ export function roleToRoleEditorModel(
     },
     accessSpecs,
     rules,
+    options: optionsModel,
     requiresReset:
       revision !== originalRole?.metadata?.revision ||
       version !== roleVersion ||
-      !(
-        isEmpty(rest) &&
-        isEmpty(mRest) &&
-        isEmpty(sRest) &&
-        isEmpty(deny) &&
-        equalsDeep(options, defaultOptions())
-      ) ||
-      allowRequiresReset,
+      !(isEmpty(rest) && isEmpty(mRest) && isEmpty(sRest) && isEmpty(deny)) ||
+      allowRequiresReset ||
+      optionsRequireReset,
   };
 }
 
@@ -581,6 +628,80 @@ function ruleToModel(rule: Rule): { model: RuleModel; requiresReset: boolean } {
   };
 }
 
+function optionsToModel(options: RoleOptions): {
+  model: OptionsModel;
+  requiresReset: boolean;
+} {
+  const {
+    // Customizable options.
+    max_session_ttl,
+    client_idle_timeout = '',
+    disconnect_expired_cert = false,
+    require_session_mfa = false,
+    create_host_user_mode = '',
+    create_db_user,
+    create_db_user_mode = '',
+    desktop_clipboard,
+    create_desktop_user,
+    desktop_directory_sharing,
+
+    // These options must keep their default values, as we don't support them
+    // in the standard editor.
+    cert_format,
+    enhanced_recording,
+    forward_agent,
+    idp,
+    pin_source_ip,
+    port_forwarding,
+    record_session,
+    ssh_file_copy,
+
+    ...others
+  } = options;
+
+  const requireMFATypeOption =
+    requireMFATypeOptionsMap.get(require_session_mfa);
+  const createHostUserModeOption = createHostUserModeOptionsMap.get(
+    create_host_user_mode
+  );
+  const createDBUserModeOption =
+    createDBUserModeOptionsMap.get(create_db_user_mode);
+
+  const defaultOpts = defaultOptions();
+
+  return {
+    model: {
+      maxSessionTTL: max_session_ttl,
+      clientIdleTimeout: client_idle_timeout,
+      disconnectExpiredCert: disconnect_expired_cert,
+      requireMFAType:
+        requireMFATypeOption ?? requireMFATypeOptionsMap.get(false),
+      createHostUserMode:
+        createHostUserModeOption ?? createHostUserModeOptionsMap.get(''),
+      createDBUser: create_db_user,
+      createDBUserMode:
+        createDBUserModeOption ?? createDBUserModeOptionsMap.get(''),
+      desktopClipboard: desktop_clipboard,
+      createDesktopUser: create_desktop_user,
+      desktopDirectorySharing: desktop_directory_sharing,
+    },
+
+    requiresReset:
+      cert_format !== defaultOpts.cert_format ||
+      !equalsDeep(enhanced_recording, defaultOpts.enhanced_recording) ||
+      forward_agent !== defaultOpts.forward_agent ||
+      !equalsDeep(idp, defaultOpts.idp) ||
+      pin_source_ip !== defaultOpts.pin_source_ip ||
+      port_forwarding !== defaultOpts.port_forwarding ||
+      !equalsDeep(record_session, defaultOpts.record_session) ||
+      ssh_file_copy !== defaultOpts.ssh_file_copy ||
+      requireMFATypeOption === undefined ||
+      createHostUserModeOption === undefined ||
+      createDBUserModeOption === undefined ||
+      !isEmpty(others),
+  };
+}
+
 function isEmpty(obj: object) {
   return Object.keys(obj).length === 0;
 }
@@ -603,7 +724,7 @@ export function roleEditorModelToRole(roleModel: RoleEditorModel): Role {
     spec: {
       allow: {},
       deny: {},
-      options: defaultOptions(),
+      options: optionsModelToRoleOptions(roleModel.options),
     },
     version: roleVersion,
   };
@@ -683,6 +804,27 @@ export function labelsModelToLabels(uiLabels: UILabel[]): Labels {
   return labels;
 }
 
+function optionsModelToRoleOptions(model: OptionsModel): RoleOptions {
+  return {
+    ...defaultOptions(),
+
+    // Note: technically, coercing the optional fields to undefined is not
+    // necessary, but it's easier to test it this way, since we achieve
+    // symmetry between what goes into the model and what goes out of it, even
+    // if some fields are optional.
+    max_session_ttl: model.maxSessionTTL,
+    client_idle_timeout: model.clientIdleTimeout || undefined,
+    disconnect_expired_cert: model.disconnectExpiredCert || undefined,
+    require_session_mfa: model.requireMFAType.value || undefined,
+    create_host_user_mode: model.createHostUserMode.value || undefined,
+    create_db_user: model.createDBUser,
+    create_db_user_mode: model.createDBUserMode.value || undefined,
+    desktop_clipboard: model.desktopClipboard,
+    create_desktop_user: model.createDesktopUser,
+    desktop_directory_sharing: model.desktopDirectorySharing,
+  };
+}
+
 function optionsToStrings<T = string>(opts: readonly Option<T>[]): T[] {
   return opts.map(opt => opt.value);
 }
diff --git a/web/packages/teleport/src/services/resources/types.ts b/web/packages/teleport/src/services/resources/types.ts
index c5a17f313e872..f99a5f45cf1fb 100644
--- a/web/packages/teleport/src/services/resources/types.ts
+++ b/web/packages/teleport/src/services/resources/types.ts
@@ -357,8 +357,24 @@ export type RoleOptions = {
     desktop: boolean;
   };
   ssh_file_copy: boolean;
+  client_idle_timeout?: string;
+  disconnect_expired_cert?: boolean;
+  require_session_mfa?: RequireMFAType;
+  create_host_user_mode?: CreateHostUserMode;
+  create_db_user_mode?: CreateDBUserMode;
 };
 
+export type RequireMFAType =
+  | boolean
+  | 'hardware_key'
+  | 'hardware_key_touch'
+  | 'hardware_key_pin'
+  | 'hardware_key_touch_and_pin';
+
+export type CreateHostUserMode = '' | 'off' | 'keep' | 'insecure-drop';
+
+export type CreateDBUserMode = '' | 'off' | 'keep' | 'best_effort_drop';
+
 export type RoleWithYaml = {
   object: Role;
   /**