ConanP.10061 (Greenpeace) asked a question.
Use Custom Admin Roles to limit app assignment to only specific group of users
We are trying to create an admin role that allows our regional administrators to add and remove apps only for a subset of users (the staff in their region). I tried to do this by creating an app admin role and constraining it to a resource that was a limited group of users. When I do the assignment, it says "Resource set includes resources that are not affected by the permissions in the role." which I assume means that the group of users has no relation to the app admin role.
How can I achieve this? We don't want our regional admins to be able to assign apps to people outside of their region. Is this possible?
We've made some progress and figured out how to limit app assignment to a subset of users. However, what we have discovered is that if you combine that role with one that lets and View all users, the admin can then also add or remove apps for all users, even though in the app assignment role they are constrained. I have opened up a case with Okta support but any clues in the meantime would be helpful.