Create an admin role assignment using an admin
There are several important things to note when creating admin role assignments.
-
You can save an admin assignment even if it includes resources that aren't affected by the permissions. It doesn't break the admin assignment.
-
You can assign both standard and custom roles to individual admins, groups of admins, and apps.
-
You can only assign three standard roles to a group at a time. You can add more roles after saving your changes.
Before you begin
- Ensure that you're signed in as a super admin.
-
If you want to create an admin role assignment for a role that doesn't exist, you can create it from the Roles tab. See Create a role.
-
If you want to create an admin role assignment for a resource set that doesn't exist, you can create it from the Resources tab. See Create a resource set.
Start this task
You can begin creating an admin role assignment from any of the following places in the Admin Console:
From the Admins tab
-
In the Admin Console, go to .
-
On the Administrators page, go to the Admins tab.
-
Click Add administrator.
-
On the Administrator assignment by admin page, in the Admin field, enter the user's or group's name.
- Optional. Select Auditor (Read-Only) mode to apply a read-only restriction to their admin assignments. This restriction takes effect when the target user or group is assigned at least one admin role. See Auditor (Read-Only) mode.
- Avoid losing super admin management access
- If you enable Auditor (Read-Only) mode on a group, all members of that group instantly inherit read-only status. Verify that super admins are excluded from the group before saving, or they will lose global management access across the entire org.
From the Overview tab
-
In the Admin Console, go to .
-
On the Administrators page, go to the Overview tab.
-
Click Add administrator.
-
On the Administrator assignment by admin page, in the Admin field, enter the user's or group's name.
- Optional. Select Auditor (Read-Only) mode to apply a read-only restriction to their admin assignments. This restriction takes effect when the target user or group is assigned at least one admin role. See Auditor (Read-Only) mode.
- Avoid losing super admin management access
- If you enable Auditor (Read-Only) mode on a group, all members of that group instantly inherit read-only status. Verify that super admins are excluded from the group before saving, or they will lose global management access across the entire org.
From the People page
-
In the Admin Console, go to .
-
Select the required user and go to the user's profile page. Alternatively, go directly to the user's profile by searching for the user from the search bar on the Overview tab of the Administrators page.
-
Go to the Admin Roles tab.
-
If the user doesn't have any existing admin role assignments, click Add admin assignment. If the user already has existing admin assignments, click Edit individual assignments.
The Administrator assignment by admin page opens with the username populated in the Admin field.
- Optional. Select Auditor (Read-Only) mode to apply a read-only restriction to their admin assignments. This restriction takes effect when the target user or group is assigned at least one admin role. See Auditor (Read-Only) mode.
- Avoid losing super admin management access
- If you enable Auditor (Read-Only) mode on a group, all members of that group instantly inherit read-only status. Verify that super admins are excluded from the group before saving, or they will lose global management access across the entire org.
From the Groups page
-
In the Admin Console, go to .
Go to the group's profile page. Alternatively, go directly to the group's profile by searching for the group from the search bar on the Overview tab of the Administrators page.
-
Go to the Admin Roles tab.
-
If the group doesn't have any existing admin role assignments, click Add admin assignment. If the group already has existing admin assignments, click Edit group assignments.
The Administrator assignment by admin page opens with the group name populated in the Admin field.
- Optional. Select Auditor (Read-Only) mode to apply a read-only restriction to their admin assignments. This restriction takes effect when the target user or group is assigned at least one admin role. See Auditor (Read-Only) mode.
- Avoid losing super admin management access
- If you enable Auditor (Read-Only) mode on a group, all members of that group instantly inherit read-only status. Verify that super admins are excluded from the group before saving, or they will lose global management access across the entire org.
From the Applications page
-
In the Admin Console, go to .
Go to the app's profile page. Alternatively, go directly to the app's profile by searching for the app from the search bar on the Overview tab of the Administrators page.
-
Go to the Admin Roles tab.
-
If the app doesn't have any existing admin role assignments, click Add admin assignment. If the app already has existing admin assignments, click Edit group assignments.
The Administrator assignment by admin page opens with the app name populated in the App field.
If you want to automatically assign the super admin role to your custom API service integrations, you can enable this functionality in .
Continue with the task
- On the Administrator assignment by admin page, go to the Complete the assignment section.
- Select the role that you want to assign to your admin. You can also create a new role by selecting Create role from the dropdown menu.
- Select the resource set that you want to constrain the admin to. You can create a new resource set by
selecting Create resource set from the dropdown menu. You can also preview the
resources assigned here.Note:
You can't assign Okta Admin Console to users if Govern Okta admin roles is enabled for your org.
- Click Save changes.