<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR00001ISbl20ADOkta Classic EngineAdmin RolesAnswered2026-02-27T17:52:07.000Z2026-02-15T14:51:02.000Z2026-02-27T17:52:07.000Z

IsaacB.81593 (Customer) asked a question.

February 15, 2026 at 2:51 PM
Differences between standard and custom roles regarding groups and Org2Org

I am working on a solution using Org2Org to sync users and groups between orgs:

 

The Okta standard "group" admin is not allowed to create groups. You need "org" admin to create the group.

 

So, if I set up Org2Org from a spoke to a hub (and the app has "group" admin) and I try to add a "push group," Org2Org cannot create the group in the hub. What it can do is link to a group that already exists in the hub. I kind of like it that way.

 

But if I set up Org2Org with a "custom" role, that allows "view groups" and "manage group membership," but not "create," my spoke also cannot link to an existing group in the hub.

 

Is this difference - the inability for the custom group roles to link to hub groups if they can't also create / the ability of the standard group admin to link to a group it did not create - by design, or is it an oversight or bug? Or am I just missing something?

 

Thanks.

 

  • 1 answer
  • 97 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @IsaacB.81593 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    This is expected behavior/by design.  

    The Standard Admin roles pre-date the custom role functionality and were designed with a broader scope to accommodate more varied use cases at that time. 

    The newer custom roles offer increased granularity/flexibility to more closely adhere to the "least privilege" model, but you might not be able to achieve parity in permission levels with the standard roles. 

    You could try running some tests with custom roles and restrictive resource sets to see if you can achieve your desired implementation. 

     

    If you still feel this is a bug, please open a case to discuss the matter with our colleagues from the Support team, so they can bring this up with the Engineering team. 

    You can also submit a Feature Enhancement request via Okta Ideas, if you would like to see behavior changes in the current functionality. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @IsaacB.81593 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    This is expected behavior/by design.  

    The Standard Admin roles pre-date the custom role functionality and were designed with a broader scope to accommodate more varied use cases at that time. 

    The newer custom roles offer increased granularity/flexibility to more closely adhere to the "least privilege" model, but you might not be able to achieve parity in permission levels with the standard roles. 

    You could try running some tests with custom roles and restrictive resource sets to see if you can achieve your desired implementation. 

     

    If you still feel this is a bug, please open a case to discuss the matter with our colleagues from the Support team, so they can bring this up with the Engineering team. 

    You can also submit a Feature Enhancement request via Okta Ideas, if you would like to see behavior changes in the current functionality. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best

Loading
Differences between standard and custom roles regarding groups and Org2Org