<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jdqSABOkta Classic EngineAdministrationAnswered2018-09-05T01:29:27.000Z2016-08-02T20:57:28.000Z2018-08-12T04:16:08.000Z

IvanS.86122 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Okta hub-spoke versus using Okta Groups
We recently purchased the Okta Platform and looking for a matrix to help us decide on whether to use Groups to categorize our customers or use the Okta Spoke configuration.

 

Our customers require different password policies, certain customers have access to all our products but some only purchase a limited product range and a reduced access --so each customer needs a great amount of flexiability. 

 

We also require certain admin users at our customers to manage just their own users BUT we also need our call center to be able to manage all of our customer needs such as new user creation, assigning permissions etc.

 

Any thoughst on this?

0EMF0000000TsTb
  • 5 answers
  • 2.35K views

  • Thomas Kirk (Okta, Inc.)

    He Ivan,

     

    This could be a good use case for the Okta User Admin Role (https://support.okta.com/help/articles/Knowledge_Article/The-User-Admin-Role). The User Admin can be assigned to a specific group of users and can only administer those users. Group Password Policies (https://support.okta.com/help/articles/Knowledge_Article/Configuring-Group-Password-Policies) can be used as well, allow specific groups to have seperate password policies.

     

    Managing spokes can sometimes be a nightmare for administrators. There are good reasons to use it, but if all use cases can be solved with the User Admin Role, it is much cleaner and simpler to manage.
    Expand Post
    Selected as Best

  • IvanS.86122 (Customer)

    Thanks Thomas. That Admin Role does seem useful and I'll need to see if the API's can be used to search for users that are assigned to just that group

  • Thomas Kirk (Okta, Inc.)

    If the API key is tied to an account that is a User Admin, then the get users API will only return the users that the User Admin manages.

     

    Not sure where you are in your sales cycle, but these are good questions when it comes to architecture. Our Sales and Professional Services teams are amazing resources to engage with at this time. They can help you uncover specific requirements that may determine which architecutre approach you should take.
    Expand Post

  • IvanS.86122 (Customer)

    Hey Thomas, we have already purchased Okta Platform (Brian Murphy is our Sales Executive) and are now working through the best option for our business needs and figure no better place than a broad Okta commnity to provide input.

     

    Cheers

    Ivan

    Expand Post

  • IvanS.86122 (Customer)

    Thomas, one additional requirement we have is that each of the "groups or spokes" need to be configured that certain of them can have inbound federation setup so that the IDP is managed by the spoke/group organization
This question is closed.
Loading
Okta hub-spoke versus using Okta Groups