The Group Admin Role

The Group Administrator role stands apart from the other adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group.

Note: This feature only applies to groups created in Okta. There is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature allowing you to restrict the Group admin role to Active Directory and LDAP groups as well.

Uses for this role might be a franchise, where each location needs to silo and control their location-specific teams. Each franchise would need to create and manage their own data without affecting or being affecting by the others. Another example might be a company that owns many distinct product brands. One “umbrella” company owns them, but each brand has some homegrown and unique departments that have no relation to the other brands.

Guidance Structuring Okta Groups

Getting the most out of this role requires careful selection of Okta groups. The groups you create and choose should reflect your organization's structure or boundaries of control.

Another good practice is to grant one admin role per admin. If you assign both the AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. admin role and Group admin role to the same user, they will have ability to edit all users, regardless of the group(s) specified when assigning the role.

Admins only receive notifications about locked-out users who are in the group, or groups that the admin manages.

For more information, see Administrators.