Limit service application scopes to groups or apps

Hello. Hope this is not already in the forum. I did’t find it.

I created a service application using a public-private keypair.
Set okta.users.manage scope to the app.
My golang app authenticate ok, and is able to modify users, i.e. suspend or deactivate them.

Does the possibility exist of narrow the scope to a group?
I mean, I want to allow okta.users.manage only on users that belongs to a group or an app.


Hey kungfoo. Are you saying you want to limit the users who can use the granted access tokens to a group or app? If so, then yes - that is possible. Any user not assigned to the application that grants the OAuth-for-Okta tokens cannot use the tokens to perform administrative tasks. So, if you wanted to allow only a certain group in your org to use the tokens, you would assign that group to the application you created.

However, if you’re asking whether its possible to make it so administrative API calls can only be made on certain users/groups based off the scoped access token, the answer would be no.