zjicp (zjicp) asked a question.
Admin Role with Segregated Privilege
I'm trying to find an Admin role that can create and manage users. The only group I have found, without giving them Super Admin rights, is the Org role.
The issue I'm having is that if I give a user this role, they are able to not only create/manage users but they can reset passwords and MFA for Super Admins which is something I don't want to do.
I have tried to see if there was a way to create a role where I can specify what they can/can't do but to no avail.
All I need is to grant a group of users the ability to create users in addition to managing users below Org role level.
Is there a way to do this?
I haven't tried this myself, but it might get you close to what you want. Create an Okta group, name it something like "Everyone Except SuperAdmins", then create a group rule with criteria that includes all users and add your super admins to the rule's exclusion list. Activate the rule, wait for the group to be fully populated, and verify that your super admins are NOT in the group. Finally, delegate the Group Admin role using the "Everyone Except SuperAdmins" to whoever you wish to grant those rights. As long as your group rule criteria is broad enough, all new accounts should get added to that group automatically. And if you add an new SuperAdmins, you'll have to remember to add them to the rule's exclusion list.