Group membership administrators

The group membership admin manages the membership of specific groups. Group membership admins can also view all users in an org.

The group membership admin role can be a standalone assignment for admins who need to add and remove users in a group, or it can be combined with a role like Group administrator or Help desk administrator for broader user management permissions. These combinations enable an admin to add, remove, and deactivate existing users, reset their passwords, and change their MFA.

The group membership admin has a fixed set of permissions, but there are also restrictions on what this role can do.

Group membership admins have the following permissions:

  • View users
  • View groups
  • Add users to groups that they manage
  • Remove users from groups that they manage
  • View user tokens in groups that they manage
  • Create user tokens in groups that they manage
  • Clear user tokens in groups that they manage

Group membership admins can't perform the following actions:

  • Create groups
  • Delete groups
  • Manage users
  • Manage groups with admin privileges
  • Manage authenticators

For a complete view of all of the permissions that are granted and excluded from this role, see Standard administrator roles and permissions.



  • Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no long be able to make any changes over the group or group members.

  • For orgs with group profile feature enabled, group membership admins cannot modify group name and description.

Related topics

Standard administrator roles and permissions

Use standard roles