Group membership administrators
The group membership admin manages the membership of specific groups. Group membership admins can also view all users in an org.
The group membership admin role can be a standalone assignment for admins who need to add and remove users in a group, or it can be combined with a role like group admin or help desk admin for broader user management permissions. These combinations enable an admin to add, remove, and deactivate existing users, reset their passwords, and change their MFA.
The group membership admin has a fixed set of permissions, but there are also restrictions on what this role can do.
Group membership administrator permissions
Group membership admins have the following permissions:
- View users
- View groups
- Add users to groups that they manage
- Remove users from groups that they manage
- View user tokens in groups that they manage
- Create user tokens in groups that they manage
- Clear user tokens in groups that they manage
Group membership administrator restrictions
Group membership admins can't perform the following actions:
- Create groups
- Delete groups
- Manage groups with admin privileges
- Edit MFA factors
Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no long be able to make any changes over the group or group members.