dse7i (dse7i) asked a question.
We want to use a custom admin role to create new groups. These new groups should be pushed to AWS automatically via push rule. Okta keeps failing to do so because it thinks thinks the custom admin role should have privileges on the app.
We already gave our custom admin role the following permissions with a resource set with all users, groups, apps.
"okta.apps.assignment.manage",
"okta.apps.read",
"okta.groups.appAssignment.manage",
"okta.groups.create",
"okta.groups.manage",
"okta.groups.members.manage",
"okta.groups.read",
"okta.users.read",
"okta.users.appAssignment.manage",
"okta.users.groupMembership.manage",
Which permission are we missing?
https://developer.okta.com/docs/reference/api/roles/*permission-types
This is the error message in the logs
"displayMessage": "Due to improper permissions from User 00u<user-id> in creating GroupPushMapping(s) for UserGroup <our-group>, these GroupPushRule(s) have been skipped [g<grp-id>]",
"eventType": "app.user_management.grouppush.mapping.created.from.rule.errors",
@dse7i (dse7i) - Is this group both an "App group" and a "Push group" that may be your problem. They are supposed to be 2 different groups.
We had a brief discussion on it here:
https://support.okta.com/help/s/question/0D54z0000A4ftZhCQI/should-group-rules-be-used-to-populate-push-groups-from-assignment-groups?language=en_US
Relevant KB about having them as different groups:
https://help.okta.com/en-us/content/topics/users-groups-profiles/app-assignments-group-push.htm