Requirements and limitations
The following are current requirements and scale limits for various items in realms.
Object segmentation
-
Users must belong to a realm, but groups and apps exist independently of realms.
-
Groups, apps, servers, and devices can't be scoped to a particular realm. These are available at the org level.
-
Group rules can't be defined with the scope of users in a realm.
-
Identity providers can't belong to a realm. They are at the org level.
Scale limits
| Configuration per org | Maximum |
|---|---|
| Realms | 500 |
| Realm assignments | 500 |
| Profile source | 10 realm assignments per profile source |
Permissions
-
Creation and management of realm assignments can only be delegated to custom admins who have access to all realms.
-
Realm admins can view org-wide group membership counts and user counts on the Okta Admin Console dashboard and groups pages, regardless of their assigned realms.
-
Realm admins with run import permissions for apps can import users into different realms beyond their assigned realms.
Policies
-
Only authentication policy rules can be scoped to users in a realm through the Okta Expression Language.
-
Global Session Policies can't be scoped to users in a realm.
Governance
-
Access Certifications campaigns and Entitlement Management policies can be scoped to realms only through the Okta Expression Language.
-
Access Requests aren't supported in realms.