User15804088705657348696 (Grainger) asked a question.
We have configured user with Group Administrator role (for several groups) and they're now able to create users and assign them to those groups. That said, this works when creating users one-by-one through UI only.
When creating users or assigning them to group via upload of CSV file, it ends-up with errors. Import of file succeeds, yet all the rows are erroring out.
In import result file, rows contain error message that isn't helpful:
- In case of import for creation of users, row error is "Error(s) - Failed to upload row;"
- In case of import for creation of group assignment, row error is "userNotFoundOrNotVisible"
Imports are successful when those same files are imported by Super Administrator user, clearly indicating the the issue is with Group Administrator role.
I would appreciate any advise on whether this is by design (which sounds like a flawed design) and how admin users need to be setup, so that import would be possible without involvement of Super Administrator.
Hello @User15804088705657348696 (Grainger) Thank you for reacting out to our Community!
This would be expected behaviour, as Group Administrators can not create users. Also, the import from CSV is considered a different process then the create users one.
Group Administrators can only add users to the group and not organisation, as it is stated in our doc below:
https://help.okta.com/en-us/content/topics/security/administrators-group-membership-admin.htm
Please also see:
https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm
Community members help others by clicking Like or Select as Best on responses. Try it today.
Follow us at OktaSupport
Thanks for the answer Paul!
I believe your first statement is somewhat misleading as Group Administrators CAN create new users, but only single user at a time and with assignment to one of the groups they manage. Quite inconvenient that there's no corresponding functionality that would allow bulk creation/assignment of users.
What is even more puzzling is that even assigning existing users to a group (in bulk, via import) does not work for Group Administrator. Is there any explanation why is that the case?
That might be because that is considered an import, and Group admin can not trigger imports.
Group Administrators can definitely run imports!
I have received explanation and recommendation from OKTA support.
Recommendation is to change Group Administrator configuration to NOT specify groups that they can administer and rather enable them to administer ALL groups in the organization. That suggestion was implemented and verified to work - Group Administrator configured in such way successfully import both files with new users and files with list of users to be assigned to (any!) group.
That solution is (obviously) not ideal, as such Group Administrator can administer all groups (pretty much eliminating usability of setting set of groups as their responsibility scope) but it works and such admins don't need to create users one-by-one.