Okta Privileged Access uses groups to explicitly assign users with associated permissions, giving them access to required resources or access control privileges. You can create groups locally and add users to it. You can also sync your users and groups from the Universal Directory, which provides easier management of people, membership, and roles. See Configure SCIM for Okta.

Default groups

The following two groups are automatically created for each team:

  • Everyone includes every user that belongs to the Okta Privileged Access team.
  • Owners initially includes only the user who created the Okta Privileged Access team. This group can't be deleted.

    Owners group grants the Okta Privileged Access administrator role. Only users with the PAM administrator role can create groups and add users to the groups.

The owners group can't be assigned other roles beyond the PAM administrator role, nor can the PAM administrator role be removed from this group. Okta recommends that you assign the PAM administrator role to another group that is provisioned to Okta Privileged Access through Okta SCIM. The owners group should have as few users as possible assigned to it.

After you complete the basic setup, Okta recommends that you do the following:

  • Create a group in Okta to manage users who will be assigned the PAM administrator role.
  • Assign any users currently in the owners group in Okta Privileged Access to this new Okta group.
  • Push the new Okta group to Okta Privileged Access.
  • Assign the new Okta group the PAM administrator role.

This ensures that if any users in the owners group are deactivatedor deleted from Okta,other users in your organization retain the PAM administrator role.


You must be a PAM admin for your team to perform the following tasks.

Create a local group

Okta recommends that you minimize the use of local groups and instead manage group memberships through Okta Admin Console. This ensures that group membership is accurately reflected based on lifecycle events on users or groups in Okta.

  1. Open the Okta Privileged Access dashboard.
  2. Click Groups.
  3. Click Create Group.
  4. On the Create Group window, enter a group name.
  5. Optional. Select any team roles to assign to the group. See Roles and permissions.
  6. Click Create Group.

Add a user to local group

Adding a user to a group grants them access to all servers in projects where the group is added. Only service users that are created locally in Okta Privileged Access need to be added to local groups.

  1. Open the Okta Privileged Access dashboard.

  2. Click Groups and open a group.

  3. Go to the Users tab.

  4. In the Username field, enter the name of an existing user.

  5. Click Add User.

Related topics

Resource administration

Security administration