<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007K9fvtCABOkta Classic EngineAdministrationAnswered2024-04-16T13:46:01.000Z2021-12-08T19:28:42.000Z2021-12-10T17:27:11.000Z

lhi0u (lhi0u) asked a question.

December 8, 2021 at 7:28 PM
Custom Roles and Administrators Quotas

Are there quotas associated with custom administrator roles? The documentation here https://help.okta.com/oie/en-us/Content/Topics/Security/custom-admin-role/custom-admin-roles.htm outlines the following:

 

  • You can only have 1,000 admins who have the same role and resource set combination constrained to them.

 

Does this really mean total users or just the amount of assignments that can be created? For instance if I had a group of say 2000 users that I want to assign a readonly custom role to via a group assignment what would happen?

 

I have been getting back an error when attempting to map a larger group to a custom role via APIs.

 

"* failed to create custom admin role assignment: the API returned an error: Bad request."

 

customRoleId : "REDACTED-ROLE"

members : [

[0]: "https://REDACTED.okta.com/api/v1/groups/REDACTED"

]

resourceSetId: "REDACTED-RES-SET"

  • 1 answer
  • 500 views

  • User16254393570754125507 (Okta)

    Hello @lhi0u (lhi0u)​,

     

    Regarding the number of admins in an Org, Okta's recommendation is: Limit the number of super admins only to users who require super admin access.

     

    An org should not have more than:

     

    50 percent of admins have super admin privileges.

     

    15 super admins.

     

    All other admins should only have the permissions as required for their role.

     

    https://help.okta.com/en/prod/Content/Topics/Security/healthinsight/limit-admins.htm

     

    Does this really mean total users or just the amount of assignments that can be created?

    This refers to the roles assignment:

     

    Role: A set of permissions that you constrain an admin to. There are two types of roles, standard, and custom. You can create a maximum of 100 roles for an org. Currently, permissions are limited to managing user, group, and app activity only.

     

    Resource set: A collection of resources. You can create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set. Currently, only user groups and apps in your org are considered as resources.

     

    In your case, since you want to apply the Custom Read-Only roles to a group of 2000 users, it is necessary to take into account that You can only have 1,000 admins who have the same role and resource set combination constrained to them, this means the only way to give them the access it to create two different roles, it could be using different names and providing on both the same permissions and resources.

     

    Here are some tips about how to do this:

     

    https://help.okta.com/oie/en-us/Content/Topics/Security/custom-admin-role/best-practices-custom-admin-roles.htmhttps://help.okta.com/oie/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm

     

    Let us know if this helps you.

     

    Regards,

     

    Natalia

    Okta Inc.

    Expand Post
    Selected as Best

  • User16254393570754125507 (Okta)

    Hello @lhi0u (lhi0u)​,

     

    Regarding the number of admins in an Org, Okta's recommendation is: Limit the number of super admins only to users who require super admin access.

     

    An org should not have more than:

     

    50 percent of admins have super admin privileges.

     

    15 super admins.

     

    All other admins should only have the permissions as required for their role.

     

    https://help.okta.com/en/prod/Content/Topics/Security/healthinsight/limit-admins.htm

     

    Does this really mean total users or just the amount of assignments that can be created?

    This refers to the roles assignment:

     

    Role: A set of permissions that you constrain an admin to. There are two types of roles, standard, and custom. You can create a maximum of 100 roles for an org. Currently, permissions are limited to managing user, group, and app activity only.

     

    Resource set: A collection of resources. You can create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set. Currently, only user groups and apps in your org are considered as resources.

     

    In your case, since you want to apply the Custom Read-Only roles to a group of 2000 users, it is necessary to take into account that You can only have 1,000 admins who have the same role and resource set combination constrained to them, this means the only way to give them the access it to create two different roles, it could be using different names and providing on both the same permissions and resources.

     

    Here are some tips about how to do this:

     

    https://help.okta.com/oie/en-us/Content/Topics/Security/custom-admin-role/best-practices-custom-admin-roles.htmhttps://help.okta.com/oie/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm

     

    Let us know if this helps you.

     

    Regards,

     

    Natalia

    Okta Inc.

    Expand Post
    Selected as Best
This question is closed.
Loading
Custom Roles and Administrators Quotas