About group membership administrators

The group membership admin manages the membership of specific groups. Group membership admins can also view all users in an org.

The group membership admin role can be a standalone assignment for admins who need to add and remove users in a group, or it can be combined with a role like group admin or help desk admin for broader user management permissions. These combinations enable an admin to add, remove, and deactivate existing users, reset their passwords, and change their MFA.

The group membership admin has a fixed set of permissions, but there are also restrictions on what this role can do.

Group membership admin permissions

Group membership admins have the following permissions:

  • View users
  • View groups
  • Add users to groups that they manage
  • Remove users from groups that they manage
  • View user tokens in groups that they manage
  • Create user tokens in groups that they manage
  • Clear user tokens in groups that they manage

Group membership admins restrictions

Group membership admins can't perform the following actions:

  • Create groups
  • Delete groups
  • Manage groups with admin privileges
  • Edit MFA factors

See also

Administrator comparison tables

Assign admin permissions