Work with the resource set component
A resource set is a collection of resources. Currently, only user groups, workflows, authorization servers, customizations, and apps in your org are considered as resources.
You can:
-
Create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set.
-
Use resource sets to constrain permissions of a role to specific resources.
-
Constrain admins who have the same role assignment to different resource sets.
-
Resource sets are only available for custom admin roles.
-
You can only have 1,000 admins who have the same role and resource set combination constrained to them.
Considerations
-
While you can use either admin, role, or resource set components to create a role assignment, we recommend that you think about the role assignment from a resource-first perspective. It's helpful to think which resources will be accessible to your admin and which roles should be granted to them.
-
You have a sensitive resource in your org and want to limit who can add users and groups to this resource. In this case, create a resource set first followed by the custom admin role assignment.
-
-
If you want an admin to be able to view all resources but only manage specific resources, create two separate role assignments for the admin. See Best practices for creating a custom role assignment
-
You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:
-
Create users
-
Manage users' authenticator operations
-
Edit users' profile attributes
-
Manage group membership
-
-
You can add conditions to some resources to further limit a role's scope. See Resource set conditions.