Why a User Admin cannot remove users from a group Skip to main content
https://support.okta.com/help/answers?id=906f0000000xzcmiao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Tom HardinTom Hardin 

Why a User Admin cannot remove users from a group

I don't understand why a user that has been granted the User Admin role cannot remove users from a group. To me this seems like a permission any User Admin would need, If I trust them enough to create users, assign apps and groups, Why wouldn't I trust them to remove a user from a group?

This makes no sense to me, Can someone shed some light on why a User Admin cannot remove users from groups?

api-workday api-workdayapi-workday api-workday
Hi Tom,

I've always assumed it is because of the diverse number of things that adding a user to a group can trigger.

Beyond obvious and awknowledge application assignment:
  • Being assigned to an application through a group can be used to prepopulate specific attribute values for the application user assignment.
  • Group assignment can be used to push a user to a directory (create an AD User)
  • Groups can be configured as push groups so adding a user to an okta group can subsequently add the user to an AD Group
Jonathan WinnJonathan Winn
Hi Tom,

When we have discussed this with Okta previously, the concept of managing a group wasn't included in this role as it was just focused on the management of users only.  As a result of that conversation, a feature request for granular user access permissions was logged as we like you want to be able to add/remove users from groups without having to grant god access!  We used a group to enable our Service Desk to bypass MFA for users if they forgot their mobiles.  They could add the user but could never remove them.  The role appears to have been tweaked again now so that adding users to group isn't even possible now.

If you want flexibility to grant your admins access to what they need to, please support the feature request!

Thanks, 
Jonathan  
Tom HardinTom Hardin
Hi Jonathan,

I would love to support that feature request. If I knew how. It appreas that Okta is hiding the Feature Request section. Can you post a link to your feature request?
ThomasThomas (Okta, Inc.) 
The Feature Request area is for Okta Admins, you click on Post An Idea on the Community home page, that will take you to Feature Requests, there you can post your idea, our product management team will review your request, and feedback.

Tom

Thomas Hill, Support Community Manager, Okta