This article clarifies the minimum permissions required on a provisioning token generated for an SSWS token to perform a group push in an Okta Org2Org application. The issue occurs when an account lacks adequate permissions to create groups in the downstream application, resulting in the following error message:

Unable to update Group Push mapping target App group <group name>: Error while creating user group <group name>: HTTP 403 Forbidden

While the Super Administrator (Admin) or Org Admin roles allow this action, certain requirements may necessitate a minimum permission set on the token.

• Okta Org2Org
• Group Push
• Provisioning
• (SSWS) Token
• Okta Identity Engine (OIE)

The error occurs because the account associated with the SSWS provisioning token lacks the specific permissions required to create or update groups in the target environment.

To resolve the 403 Forbidden error and ensure the account has the necessary permissions to push groups, follow these steps:

1. Create a custom role that specifically includes the Create Group permission.
2. Create a resource set that includes All Groups.
3. Assign the custom role and the resource set to the existing account.
4. Assign the Group Administrator role to the account.
5. Ensure the account has permissions for the specific application associated with the token.
6. Re-push the group to verify the fix.