Org2Org App provisioning flow fails with the following error visible in the source Okta org dashboard:
Automatic profile push of user <user> to app Okta Org2Org failed: Error while trying to push profile update for <user>: You do not have permission to perform the requested action
- Org2Org App
- Provisioning
The authorization used when making the Org2Org provisioning API call did not have the appropriate permissions in the target org on the Okta User profile. A common reason for this is that the target Okta User profile has an assigned admin role, and the API authorization does not have Super Administrator permissions. By design, only Super Admins may modify or update other admins.
For example, here are two different configuration scenarios:
- The admin account in the target org that created the API token that is saved in the source Org2Org app integration has the "Org Admin" standard role permissions.
- An OAuth 2.0 configured integration has roles assigned to the service app in the target org, which are the Group Administrator and Group Membership Administrator standard roles recommended by default.
Ensure that the API is authorized with the appropriate level of permissions to make the desired changes in the target org on the Okta User profile.
If using a custom admin role, update it to ensure that the resource set does not limit the necessary permissions for provisioning.
If the target org user profile has admin permissions, this will require Super Administrator role permissions in the target org. If using the SSWS API Token and it is a requirement that admin profiles be configurable by Org2Org, please consider leveraging OAuth 2.0 for a higher level of security.
- For more details, please see: Secure API connections between orgs with OAuth 2.0. At the Assign admin roles to the OAuth 2.0 service app step, Super Administrator (SUPER_ADMIN) should be used.
