Group admin role

The group administrator role stands apart from the other admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group. Groups that can be managed include Okta mastered, Active Directory and LDAP groups.

Uses for this role might be a franchise, where each location needs to silo and control their location-specific teams. Each franchise would need to create and manage their own data without affecting or being affecting by the others. Another example might be a company that owns many distinct product brands. One “umbrella” company owns them, but each brand has some homegrown and unique departments that have no relation to the other brands.

Guidance on structuring Okta groups

Getting the most out of this role requires careful selection of Okta groups. The groups you create and choose should reflect your organization's structure or boundaries of control.

Another good practice is to grant one admin role per admin. If you assign both the app admin role and group admin role to the same user, they will have ability to edit all users, regardless of the groups specified when assigning the role.

Admins are notified about locked-out users only if those users are in a group that the admin manages.

Note: Only super admins are able to manage groups with administrative roles. Group admins cannot manage groups that have admin privileges assigned to them. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no long be able to make any changes over the group or group members.

For more information, see Administrators.