---
title: Okta administrator role assigned to group
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta administrator role assigned to
  group
---

# Okta administrator role assigned to group
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when an administrator role is assigned to a group in Okta.

## Strategy{% #strategy %}

This rule monitors Okta logs for successful `group.privilege.grant` events where the `@debugContext.debugData.privilegeGranted` field contains `administrator`. Assigning administrative roles to groups can rapidly expand privileged access across all group members, making it a high-impact change that warrants scrutiny even when performed by authorized personnel.

## Triage and response{% #triage-and-response %}

- Determine if `{{@actor.displayName}}` had a legitimate reason to assign an administrator role to the `{{@target.displayName}}` group.
- Review the specific administrator role granted in `@debugContext.debugData.privilegeGranted` and assess the scope of permissions it provides.
- Identify the members of the `{{@target.displayName}}` group to understand how many users received elevated privileges.
- Check for other recent privilege escalation or group membership changes by `{{@actor.displayName}}` in Okta.
- Verify whether the change aligns with an approved access request or change management ticket.