Best practices for group admin role assignments

Assigning too many admin groups to a single admin increases security risks and complicates management. This practice can create overprivileged accounts and makes it difficult to audit and manage your org's admin roles. Furthermore, excessive group memberships can impact the sign-in experience, causing delayed Admin Console access, and increased latency for privileged operations.

Recommendation

To maintain optimal performance and responsiveness in the Admin Console, Okta recommends that each admin have a maximum of 500 group assignments that include admin roles.

When an admin signs in to the Admin Console, Okta determines their permissions based on their assigned admin roles (assigned directly or indirectly through groups). The recommended limit reduces the likelihood of timeouts or delayed access to the Admin Console.

If admins experience increased latency during sign-in or slower UI load times in the Admin Console, Okta recommends reviewing their admin group assignments to ensure they're within the recommended range.

Workarounds for complex admin structures

If your org manages a complex admin structure or needs to assign multiple roles across different responsibilities, consider the following approaches:

  • Use fewer admin groups: Consolidate groups whenever possible.
  • Assign roles directly when appropriate: For admins who require a unique set of privileges, assign roles directly to the user rather than through groups. This can reduce the total number of group lookups that are needed when Okta evaluates their permissions.
  • Review inactive or redundant groups: Periodically audit admin groups to identify and remove redundant, inactive, or outdated groups.
  • Use time-bound admin assignments: Set up access request conditions for users to request time-bound admin access.

Reports and maintenance

Use reports to review admin role assignments and ensure compliance with these best practices. You can run admin reports from the Reports and Administrators pages in the Admin Console.

From the Reports page:

  1. In the Admin Console, go to ReportsReports.

  2. Select the Admin role assignments report.
  3. Select your report parameters.
  4. Click Request Report.

From the Administrators page:

  1. In the Admin Console, go to SecurityAdministrators.

  2. On the Overview tab, click Create Report.
  3. Select your report parameters.
  4. Click Request Report.

Related topics

Admin role assignments report

Set up administrators

Manage groups