About group administrators

Group admins perform user-related tasks for specific groups of Okta users. Assigning a group admin enables you to delegate management permissions for an Okta mastered, Active Directory, or LDAP group.

The group administrator role has a fixed set of permissions, but there are also restrictions on what this role can do.

Group admin permissions

Group admins have the following permissions:

  • Create new users in groups that they manage

  • Remove people from groups that they manage

  • Add users in groups they manage to other groups they manage

  • Rename groups they manage

  • Update descriptions of the groups they manage

  • Deactivate users
  • Activate users
  • Reset user passwords
  • Reset user multifactor authentication options
  • Edit user profiles
  • Unlock users
  • Suspend users
  • Use the Reveal password button to expose restricted passwords set by super or app admins roles

Group admin restrictions

Group admins can't perform the following actions:

  • Create or delete groups

  • Directly assign apps to users or groups

  • Initiate directory or app imports

  • View or modify users outside of their assigned groups

  • Manage groups that have admin roles assigned to them
Note

Note

Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no long be able to make any changes over the group or group members.

See also

Administrator comparison tables

Assign admin permissions

Guidance for structuring Okta groups