How to Restrict Okta Admins from Changing or Updating the Application Username for Assigned Users
Apr 9, 2026
Okta Identity Engine
Admin Roles
Overview
How to restrict admins from changing or updating the application username for assigned users.
Applies To
- Okta Identity Engine (OIE)
- Org Administration
- Custom Admin Roles
- SAML Applications
Cause
This ability is tied to the individual assignment permission. For administrators to retain the ability to regulate assignments at the individual level, this specific access right must stay unrestricted.
Solution
Restrict admin ability to edit usernames under app user assignments by creating a custom admin role.
- Create a custom admin role that replicates the current admin role's permissions.
- Remove the Edit users application assignments permission from this custom role.
- Grant only the Edit groups application assignments permission to manage app access through groups.
Key Configurations: Custom admin role with specific permissions
User
- View users and their details
- Edit users' group membership
Group
- View the groups and their details.
- Manage the group membership.
- Edit group application assignments.
Application
- View the application and its details.
- Edit the application's user or group assignments.
Resource set
- Options for inclusion: All users, groups, and applications, or specific selections for the custom admin to access.
Admins can assign applications through groups, but cannot edit individual user profiles directly.
NOTE: If an admin has multiple roles or resource sets, the union of all permissions applies, so please make sure no other assigned role grants this permission.
