App Admin Unable to Add Rule to the Default Policy

This article explains why an Application Administrator may be unable to add a new rule to the application's default policy. When navigating the policy settings in the Admin UI, the option to add or edit rules is not available, and the admin is unable to add any rules to this specific policy.

• Okta Identity Engine (OIE)
• App Sign-On Policies (specifically the Default Policy)
• Administrator Roles (Application Administrator)
• First Party Applications (for example, Okta Agent Registration, IGA apps, Workflows)

The root cause is that the Default Policy is assigned to one or more Okta First-Party Applications (such as Okta Agent Registration, IGA apps, or Workflows).

App Admins do not have the required administrative permissions to edit policies assigned to these specific First-Party Applications. This restriction prevents them from modifying the Default Policy in any way, including adding new rules.

The recommended solution is to create a new policy, separate from the default, and assign the target application(s) to this new policy. This new policy will not be associated with the restricted First Party Apps, allowing the App Admin to manage it.

1. Log in to the Okta Admin Console (as a Super Admin or user with policy creation rights).
2. Navigate to Security > Authentication Policies > App sign-in.
3. Click Create Policy.
4. Provide a descriptive name for the new policy (for example, "Managed App Policy") and create the policy.
5. In the new policy, add the necessary rules that the App Admin will manage.
6. Navigate to the Applications tab within the new policy.
7. Click Add App.
8. Find and add the specific application(s) that the App Admin needs to manage. This will re-assign them from the Default Policy to this new policy.

Once the application is assigned to the new policy, the App Admin can add and edit rules within that policy for that application.