Assign administrator permissions
Super admins can assign admin permissions to individuals or to groups.
Individual assignments are better for a manageable number of admin accounts. When you assign admin permissions to individuals, you do so one at a time, whenever necessary. Remember that every org must always have at least one individually assigned super admin.
Admin groups work better when you need to onboard a large number of admins quickly. Assign those admins to one group, and then grant admin permissions to that group. Okta groups, AD groups, and LDAP groups are all eligible.
The assignment process is the same for most admins but some admins may require additional configuration. For these assignments, see Configure help desk administrators and Configure third-party administrators.
- In the Admin Console, go to Security > Administrators.
- Click Add Administrator or Add Administrator Group, depending on whether you are assigning privileges to an individual or a group.
- In the Grant administrator role to field, begin typing the name of the user or group you want to assign admin privileges to and select the correct user or group from the search list.
- Select the administrator roles you want the user or group to have. You can assign multiple admin roles to an individual or group.
- Some admin roles require additional input. If you selected Application Administrator, Group Administrator, Help Desk Administrator, or Group Membership Administrator, you need to indicate whether that role administers all users, groups, or apps, or just specific ones. (Copy and Paste commands allow you to apply the same assignments to multiple roles).
- Click Add Administrator to complete the assignment.
- Super admin is the only role that can manage users or groups with admin privileges.
- To prevent permission overrides, existing admin groups can be granted new roles through the Edit option only.
- If a group admin is assigned access to a group that is later assigned an admin role, the group admin is no longer able to make any changes over the group or group members.
- Admin roles can't be assigned to groups with more than 5,000 members.
- Group rules don't work with admin groups. This prevents delegated admins from erroneously increasing their or other user's administrative privileges.
- Admins lose their permissions when they are deactivated. If you reactivate a former admin, you also need to reassign privileges to them.
When you modify a group’s admin role assignments or group membership, it might take a few minutes for those changes to take effect.