Currently, there is a limit of 1000 Resources that can be added to a Resource Set, regardless of whether it is a single Resource type or a combination (for example, Users+Apps). In Okta’s Custom Admin Roles feature, a "Resource Set" is a collection of objects (such as Applications, Groups, or Users) that an admin is allowed to manage.
If attempting to add more than 1000 Resources to a set via the Admin Console or API, the operation will fail.
"errorCode": "iam_policy_limit_exceeded",
"errorSummary": "Reached max number of resources per resource set.",
"errorLink": "iam_policy_limit_exceeded",
- Resource Set
- Admin Roles
The 1,000-resource limit is an architectural constraint designed to ensure high performance during permission evaluation.
When an Administrator logs in or attempts an action, Okta must evaluate their permissions in real-time. If a single Resource Set contained tens of thousands of individual items, calculating the effective permissions for that admin would cause significant latency in the Admin Console and API responses.
By capping the resources per set at 1000, Okta ensures that permission checks remain fast and that the Admin Console loads efficiently.
To grant Admin access to more than 1000 resources, it cannot be done with a single Resource Set. Instead, split the resources between multiple Resource Sets and stack the assignments.
Creating multiple Admin Roles is not necessary, as the same Custom Role can be assigned to the same User multiple times, each scoped to a different Resource Set.
Related References
