KathyT.73511 (Anthropic Identity) asked a question.
How can I restrict non-Super Admins from adding users to a certain group?
I have a few groups in Okta that grant Sysadmin rights to apps. The groups are push groups so when a user has been assigned, they immediately are granted Sysadmin rights in the app. There are some groups that shouldn't be populated by non-Super Admins due to that risk.
How can I set up an exception list of groups that require step up authentication by a Super Admin to add users to the groups?
Hi @KathyT.73511 (Anthropic Identity) , Thank you for reaching out to the Okta Community!
There currently is no out-of-the-box feature for step up authentication for group assignments.
You will need to reconfigure group assignments to match the permission requirements.
Or if the issue is not the groups themselves, but rather who adds users to them, you can look into configuring those sensitive groups as a custom resource which then can be assigned to specific/custom admin roles within the org.
If you are looking for more advanced options, you can look into implementing Access Request with the Okta Identity Governance features.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Thank you Mihai.
I did assign that group an admin role to a group that is not being used and that forced the step-up authentication. I was just hoping there was a better way. Especially one that was scalable.