The Group Admin Role

The Group Administrator role stands apart from the other adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group.

Note: This feature only applies to groups created in Okta. There is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature allowing you to restrict the Group adminThe Group Administrator role stands apart from the other admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group. role to Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. and LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. groups as well.

Uses for this role might be a franchise, where each location needs to silo and control their location-specific teams. Each franchise would need to create and manage their own data without affecting or being affecting by the others. Another example might be a company that owns many distinct product brands. One “umbrella” company owns them, but each brand has some homegrown and unique departments that have no relation to the other brands.

Guidance Structuring Okta Groups

Getting the most out of this role requires careful selection of Okta groups. The groups you create and choose should reflect your organization's structure or boundaries of control.

Another good practice is to grant one admin role per admin. If you assign both the App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control. role and Group admin role to the same user, they will have ability to edit all users, regardless of the group(s) specified when assigning the role.

Admins only receive notifications about locked-out users who are in the group, or groups that the admin manages.

Note: Only Super admins are able to manage groups with administrative roles. Group admins cannot manage groups that have admin privileges assigned to them. If a Group admin is assigned access to a group that is later assigned an admin role, the Group admin will no long be able to make any changes over the group or group members.

For more information, see Administrators.

Top