Group administrators

Group administrators perform user-related tasks for specific groups of Okta users. Assigning a group admin enables you to delegate management permissions for an Okta sourced, Active Directory, or LDAP group.

The group admin role has a fixed set of permissions, but there are also restrictions on what this role can do.

Group admins have the following permissions for groups that they manage:

  • Create new users
  • Remove users
  • Add users in their groups to other groups that they manage
  • Rename groups
  • Update descriptions of the groups
  • Deactivate users
  • Activate users
  • Reset user passwords
  • Reset user multifactor authentication options
  • Edit user profiles
  • Unlock users
  • Suspend users
  • Use the Reveal password button to expose restricted passwords set by super or app admins roles
  • Edit group profile values (if the Group Profiles features is enabled)

Group admins can't perform the following actions:

  • Create or delete groups
  • Directly assign apps to users or groups
  • Initiate directory or app imports
  • View or modify users outside of their assigned groups
  • Manage groups that have admin roles assigned to them

For a complete view of all of the permissions that are granted and excluded from this role, see Standard administrator roles and permissions.



Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no longer be able to make any changes over the group or group members.

Related topics

Standard administrator roles and permissions

Use standard roles

Guidance for structuring Okta groups