MatthewH.10249 (State of Iowa) asked a question.
I created an Okta user account to be used as a service account for which I logged in to Okta and generated an API token to be used by an app to manage group membership. I initially granted this service account admin role of "Group Membership Administrator" and I was able to use Postman successfully call the "List Group Members", "Add Group Member" and "Remove Group Member" endpoints. I was asked to see if I could create and use a custom admin role to mimic the same permissions as the "Group Membership Administrator" role. I've tried but I cannot seem to create a custom role that will allow an assigned admin user to list, add and remove users for a given group.
I created a custom role and check the box under the "Manage group membership" labeled "View, add and remove memberships within groups". I created a resource set and selected for the resource type group the resource which was the group I wanted to manage. I granted this custom role to the service account and tried the API and while the list group members returned a 200 status code it did not return any records. When I ran the add and remove group members APIs both returned a 403 status code with a E0000006 error code "You do not have permission to perform the requested action". I tried to use the Okta Admin site as the service account to try to view, add and remove group membership but while I could see the group I could not see the members nor modify the group members. The assign button was grayed out and there was a message that said "You don't have permission to edit this group".
I went back and check all boxes on the custom role and checked the "Constrain to all" on the resource set for the group and did the same for applications but the APIs still did not work. When I logged in to the Admin site as the service account after these changes I could press the "Assign People" button but on the assignment screen it would not find any users when I would search and when I tried the "Assign all people in org" selection returned an error after a minute or so. "Job failed There was an error assigning 24647 people to this group. Please try again"
While I granted the custom role every possible permission when logged in as the service account I was not able to view any users. On the "People" screen when I click the "Show all users" the run indicator would just spin and never return anyone and when I would type in known account it would act like it did not exist.
At this point I have granted every possible permission for a custom role and granted it access to all groups and apps but the service account still cannot perform group management via the admin website nor API. Any ideas what I might be doing wrong or if there is a known bug or limitation?
Hello,
After granting additional permissions to the account, can you try to create a new API Key using that account? If it fails I would also ask you to open a ticket with support, so we can further investigate it
Thank you.
Creating a new API key after granting the new custom admin role did not resolve the issue. Interestingly enough, when I only have the custom admin role assigned to the user the "Security -> API" link does not show on the admin screen when the user is logged in to Okta. I had to add the "group membership administrator" back to get the link to show up so I could then regen the API token. If after I regenerate the API token I remove the "group membership administrator" role from the user and leave the custom role that should have the same amount of rights the API calls from Postman fail as described before.
For now I'll continue to use the "group membership administrator" role rather than a custom role but I may open a support ticket as you suggest. Thanks for your input!