Guidance for structuring Okta groups

Getting the most out of delegated administration requires careful selection of Okta groups. The groups you choose should reflect your organization's structure or boundaries of control.

For example, an organization shares Okta-protected resources with two business units, A and B, each with their own users and separate IT teams who manage those users. It is important for the organization to maintain strict boundaries of control within Okta. A's IT team should only be able to view and manage A's users in Okta. Similarly, B's IT team should only be able to view and manage B's users in Okta. The organization can accomplish this by:

  • Giving A and B separate help desk administrators roles in Okta
  • Scoping A's help desk administrator role to Group A, which consists only of A's users
  • Scoping B's help desk administrator role to Group B, which consists only of B's users