<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y00007tEPBwSAOOkta Classic EngineAdministrationAnswered2024-04-15T12:20:55.000Z2020-02-26T16:32:17.000Z2020-02-28T17:45:12.000Z
Group Administrator able to add existing users to the group they administer.

As a workaround to the issue of group administrators not being able to add existing users to the groups they administer, we want to create a group administrator role with access to the group they actually need to administer (G1), as well as the "Everyone" built-in group (G2), which combines 1) the ability to manage all users, with 2) the ability to add users to G1, resulting in this group admin being able to add all users to G1.

 

I find however that I cannot have the built-in "Everyone" group as a target of the Group Administrator role, neither when trying through the GUI nor the API.

 

If it is not possible to use the built-in "Everyone" group, the alternative is to create a secondary "Everyone" OKTA group with all users as members through a group rule, although this is much more inelegant than using the built-in one.

 

Thus I would like to know if it should be possible to use the built-in "Everyone" group as a target of the group administrator role?

 

The way I've been trying it, resulting in an internal server error response from the API, is:

 

PUT {{url}}/api/v1/users/{{userId}}/roles/{{roleId of "group administrator" role}}/targets/groups/{{groupId of "everyone" group}}

 

The background for this requirement is an application support team who must be able to grant access to their application for any existing users, without being able to modify access to anything else.


  • OktaU.83617 (Florida Cancer Specialists)

    I have run in to the issue of delegating access like this. I didn't even come up with the workaround you outlined but may be the best we have right now. Def a feature or functionality request here.

  • JessicaW.72146 (Customer)

    Hey Erik,

     

    If you think about it, if a Group Administrator was able to add any user to the group they own, then they could essentially have access to administer every user in your Organization.

     

    I don't know if this helps you, but how we do it in our organization is by having a request flow in our service catalog (we use ServiceNow) that is automated to add the users to the Okta group necessary. You can then have approvals if you want or need for audit purposes (maybe have the app support team approve instead of having to manually grant?), or you can just not require them. You could also allow users to request the application via user self-service in Okta

    https://help.okta.com/en/prod/Content/Topics/Apps/Access_Request_Workflow.htm

    Expand Post
This question is closed.
Loading
Group Administrator able to add existing users to the group they administer.