Work with the resource set component

A resource set is a collection of resources. Currently, only user groups, workflows, authorization servers, customizations, and apps in your org are considered as resources.

You can:

  • Create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set.

  • Use resource sets to constrain permissions of a role to specific resources.

  • Constrain admins who have the same role assignment to different resource sets.

Note
  • Resource sets are only available for custom admin roles.

  • You can only have 1,000 admins who have the same role and resource set combination constrained to them.

Considerations

  • While you can use either admin, role, or resource set components to create a role assignment, we recommend that you think about the role assignment from a resource-first perspective. It's helpful to think which resources will be accessible to your admin and which roles should be granted to them.

    • You have a sensitive resource in your org and want to limit who can add users and groups to this resource. In this case, create a resource set first followed by the custom admin role assignment.

  • If you want an admin to be able to view all resources but only manage specific resources, create two separate role assignments for the admin. See Best practices for creating a custom role assignment

  • You can use Okta-sourced, AD-sourced, and LDAP-sourced groups as resources. However, the following permissions aren't applicable to AD-sourced and LDAP-sourced groups:

    • Create users

    • Manage users' authenticator operations

    • Edit users' profile attributes

    • Manage group membership

  • You can add conditions to some resources to further limit a role's scope. See Resource set conditions.

Resource set-specific tasks

Create a resource set

Edit a resource set

Create an admin assignment using a resource set