Edit or revoke administrator permissions
Only super admins can edit or revoke another admin's permissions. However, you have to use the same method in which the admin was assigned. For example, if you assign a group of users the app admin permission, you can't revoke that permission from an individual user in the group. You need to revoke the permission from the entire group. Similarly, if a member of the application admin group was assigned their permission as an individual, revoking the group permission won't affect them. You need to revoke the individual permission.
If a user is granted the same admin role through two or more group memberships, they must be removed from all of those groups in order to revoke the role assignment. Similarly, if a user is granted the same admin role individually and through group membership, a super admin must remove both of the assignments in order to revoke the admin role.
If you only have one individually assigned super admin, you can’t edit or revoke their permissions. You must assign another individual as a super admin, and then edit or revoke the other’s permissions.
Org or group admins with user life-cycle privileges can deactivate super admins, which will revoke their role assignments. However, Okta always keeps the role assignment of the last individually assigned super admin active. If a super admin's assignment is revoked, the last super admin can reactivate them.
- In the Admin Console, go to Security > Administrators.
- In the Admin Types pane, filter admins by User or Group.
- To edit privileges, click the pencil icon in the admin or group's Actions column. Make your edits, and then click Update Administrator.
- To revoke privileges, click the X icon in the admin or group's Actions column. Confirm the deletion.
The System Log displays a “Grant user privilege success” event whenever a user’s role assignments are changed. When all of the user’s role assignments are removed, the System Log displays a “Revoke user privilege success” event.