User17212091399951302375 (Customer) asked a question.
Group admin API token not working when admin assignments granted from group
I created a new Okta user for service account purposes. I assigned the service account to a group and made it group admin. Then I created an API token to manage users within a group. It worked as I expected. But when I navigate to the group and the admin roles tab. I granted 2 admin roles (Group and App admins - Entire organization) to the group. Then, the previously created group admin token does not work for creating users (403 Forbidden). I can view users. Can you explain why it's not working and suggest a solution? Thanks.
Hello @User17212091399951302375 (Customer) Thank you for posting on our Community page!
This is expected behaviour as Group admins can create new users in groups that they manage, remove users from groups that they manage, and move users between groups that they manage.
Please see our doc below:
https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm#:~:text=Group%20admins%20can%20create%20new,manage%20groups%20with%20administrative%20roles.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.