Okta hub-spoke versus using Okta Groups Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfa7iao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Ivan SagerIvan Sager 

Okta hub-spoke versus using Okta Groups

We recently purchased the Okta Platform and looking for a matrix to help us decide on whether to use Groups to categorize our customers or use the Okta Spoke configuration.

Our customers require different password policies, certain customers have access to all our products but some only purchase a limited product range and a reduced access --so each customer needs a great amount of flexiability. 

We also require certain admin users at our customers to manage just their own users BUT we also need our call center to be able to manage all of our customer needs such as new user creation, assigning permissions etc.

Any thoughst on this?
High level overview
Best Answer chosen by Ivan Sager
Thomas KirkThomas Kirk (Okta, Inc.)
He Ivan,

This could be a good use case for the Okta User Admin Role (https://support.okta.com/help/articles/Knowledge_Article/The-User-Admin-Role). The User Admin can be assigned to a specific group of users and can only administer those users. Group Password Policies (https://support.okta.com/help/articles/Knowledge_Article/Configuring-Group-Password-Policies) can be used as well, allow specific groups to have seperate password policies.

Managing spokes can sometimes be a nightmare for administrators. There are good reasons to use it, but if all use cases can be solved with the User Admin Role, it is much cleaner and simpler to manage.

All Answers

Thomas KirkThomas Kirk (Okta, Inc.)
He Ivan,

This could be a good use case for the Okta User Admin Role (https://support.okta.com/help/articles/Knowledge_Article/The-User-Admin-Role). The User Admin can be assigned to a specific group of users and can only administer those users. Group Password Policies (https://support.okta.com/help/articles/Knowledge_Article/Configuring-Group-Password-Policies) can be used as well, allow specific groups to have seperate password policies.

Managing spokes can sometimes be a nightmare for administrators. There are good reasons to use it, but if all use cases can be solved with the User Admin Role, it is much cleaner and simpler to manage.
This was selected as the best answer
Ivan SagerIvan Sager
Thanks Thomas. That Admin Role does seem useful and I'll need to see if the API's can be used to search for users that are assigned to just that group  
Thomas KirkThomas Kirk (Okta, Inc.)
If the API key is tied to an account that is a User Admin, then the get users API will only return the users that the User Admin manages.

Not sure where you are in your sales cycle, but these are good questions when it comes to architecture. Our Sales and Professional Services teams are amazing resources to engage with at this time. They can help you uncover specific requirements that may determine which architecutre approach you should take. 
Ivan SagerIvan Sager

Hey Thomas, we have already purchased Okta Platform (Brian Murphy is our Sales Executive) and are now working through the best option for our business needs and figure no better place than a broad Okta commnity to provide input.

Cheers
Ivan

Ivan SagerIvan Sager
Thomas, one additional requirement we have is that each of the "groups or spokes" need to be configured that certain of them can have inbound federation setup so that the IDP is managed by the spoke/group organization