AdminGroup and Okta groups


If you create custom AdminGroup for your application and are using Okta for authentication you might find this useful.

AdminGroup attribution is usually managed through those APIs:

UserAdmin.addUserToGroup(userId, adminGroupId)
UserAdmin.removeUserFromGroup(userId, adminGroupId)

Since Okta is tight to C3’s AdminGroup you also want to keep them synced.

UserAdmin.addUserToOktaGroupInEnv(,, env);
UserAdmin.removeUserFromOktaGroupInEnv(,, env);

Where env is specific to your setup. For me it is:

Cluster.hosts()[0].host.split('-app')[0] + '/tenant'

If you dont keep Okta and C3 groups synced you might experience weird things, like users getting back on groups you removed them from or even users not able to access the app.


UserAdmin.addUserToGroup() and UserAdmin.removeUserFromGroup() always synchronize group membership to Okta. If you experience weird things with group membership, please log the corresponding jira issues, they are either bugs or issues related to copying data between Prod and QA environments (I know of one case, which might be the one you are experiencing the issues with).
Also, please do not use the UserAdmin.addUserToOktagroupInEnv() and UserAdmin.removeUserFromOktaGroupInEnv() actions, they were experimental and have been removed in 7.8.