After assigning read-only admin permissions to a user, they are unable to access the Okta dashboard or the admin console and receive a 'HTTP 500: Internal Server Error' error. Another admin is not able to access their profile in the admin console and gets the same error when doing so.
- Admin Console
- Okta Identity Engine (OIE)
- Admin Roles
Logs indicate that a problem occurred when issuing a token for the user at the time of the assignment.
Remove the admin role from the user to see if we can view their profile: Remove a specific user from Security > Administrators > Roles > Read-only Administrator > Edit assignments. The rights are then available for reassignment.
If the admin role cannot be removed for the affected user via the UI, it can be removed using the following API calls:
- List all user role assignments: Use
GET /api/v1/users/{userId}/rolesto retrieve the admin role assignment details. - Un-assign a user role: The admin role can then be removed via the following endpoint:
DELETE /api/v1/users/{userId}/roles/{roleAssignmentId}.
Once the role has been removed, refresh and verify access to the user profile in the Okta Admin Console. After reassigning the role, confirm that the user profile remains accessible and that the user can log in successfully.
