A group push rule configured with a provisioning app may not pick up newly created groups when certain admin roles create them.

• Okta Integration Network (OIN)
• Push Groups
• Admin Roles and Permissions

When a constrained Okta Admin account creates a new group, the following error pattern may be seen in the Okta System Log:

The values in the example above are populated with the respective IDs and group names. This is due to the Okta Admin assignment being constrained. For example, the admin account may have permission to create a new group but does not have the appropriate permissions for managing an application assignment as a consequence of this matching rule.

Add the appropriate admin role permissions for both Create groups and Manage applications. This may include the standard roles Organization Administrator and Application Administrator,​​​​ or a custom role and resource set.



After checking for other dependencies and that their removal would not be an issue, delete these recently created groups and recreate them using an admin account with the appropriate permissions level.
 

Related References

• How to Create Custom Admin Roles
• Create a resource set
• About role permissions
• Can a Group Push By Rule Contain More than 100 Okta Groups
• Group Push Common Issues
• Push Group Rule is not Reevaluating Manually Removed Group