Group administrators
Group administrators perform user-related tasks for specific groups of Okta users. Assigning a group admin enables you to delegate management permissions for an Okta sourced, Active Directory, or LDAP group.
The group admin role has a fixed set of permissions, but there are also restrictions on what this role can do.
Group administrator permissions
Group admins have the following permissions for groups that they manage:
- Create new users
- Remove users
- Add users in groups they manage to other groups they manage
- Rename groups
- Update descriptions of the groups
- Deactivate users
- Activate users
- Reset user passwords
- Reset user multifactor authentication options
- Edit user profiles
- Unlock users
- Suspend users
- Use the Reveal password button to expose restricted passwords set by super or app admins roles
-
Edit group profile values (if the Group Profiles features is enabled)
Group administrator restrictions
Group admins can't perform the following actions:
- Create or delete groups
- Directly assign apps to users or groups
- Initiate directory or app imports
- View or modify users outside of their assigned groups
- Manage groups that have admin roles assigned to them
Note
Only super admins can manage groups with administrative roles. If a group admin is assigned access to a group that is later assigned an admin role, the group admin will no longer be able to make any changes over the group or group members.