Additional Admin Console Security

Last Updated: April 07, 2026

The topic below discusses an extra level of security using a group attribute statement related to the Okta identity provider configurations. While not commonly used, some organizations require this additional security level. Please read the following thoroughly to determine if this is something your organization needs.

Users and groups provisioned to the Vasion Print application must be added to the Users list, Tools then Users, within the Admin Console and assigned a specific role before they can log in. Without the group attribute statement, multiple groups or users added to the Users list can log in. This is normal behavior where admins define access within the application. With the group attribute statement, only members of a single group defined within the identity provider can access the Admin Console. All other Admin Console login attempts will fail, even from other users and groups added to the Users list, since the login fails at the identity provider level rather than the Admin Console level.

Organizations using the group attribute statement must create a group containing all desired Admin Console users and define it within the identity provider. The role applied within the Admin Console applies to all members within the group. Apply roles to individual users in the Users list for different access levels.

Remember this when applying the role to the group in the Users list. If not all group members should have administrator access, then apply a non-administrator role, such as Help Desk or Site Manager, to the group. To grant higher permissions, apply the administrator or other roles to individual users from the group.

If you are not interested in using this option, the Vasion Print Admin Group Name field within the IdP Settings template must be left blank. Adding a value there will deny login access for groups and users within groups that do not match the value.

IdP Template window showing the Admin Group Name field highlighted near the bottom.

The group attribute statement is only available for SCIM provisioning and is not compatible with JIT provisioning.

Define the Okta Group

  1. In your Okta Portal, ensure you have a group created that contains all users you want to have any level of access into the Vasion PrintAdmin Console.
  2. Ensure this group is assigned the Okta app you created for Vasion Print.
    1. Reference 6. Configure Provisioning (SCIM Provisioning).

To define the group within the Okta app:

  1. Sign in to your Okta Portal.

  2. In the left-side navigation, expand Applications and select the Applications option.

    Okta Applications menu expanded to show the sub-option for Applications.

  3. Select your configured Vasion Print app.
  4. Select the Sign On tab of the Okta app, then select the Edit link on the right.

  5. In the groups field, select the Equals filter from the drop down.

  6. In the blank field provided, enter the name of the group you have assigned to the app for exclusive access to the Vasion PrintAdmin Console.

  7. Select Save

Note the spelling, the entry made in Vasion Print must be an exact match.

Sign on Settings section showing the highlighted Groups drop-down set to Equal and the group name added into the field to the right of the drop-down.

Define Vasion Print Admin Group Name

  1. In your Vasion PrintAdmin Console go to Tools then Settings then General.
  2. In the Identity Provider Settings section, select IdP, select your IdP app, then select Modify.
  3. In the Admin Group Name field type the same group name you entered in the IdP.
  4. Select Apply, then select Save.

Add Group / User Roles

  1. If this group was not added to the Users list when you configured the IdP initially, go to Tools then Users.
  2. Select Add User then IdP Group / User then Group or Add UserthenUser or GroupthenGroup.
  3. Select Search. No text input required; however searching by group name might have faster results.
  4. Select the checkbox next to the defined group, and then select Add.

  5. Assign the appropriate role for the group.

    Only add this group with an Administrator role if you want all members in the group to have full access to the Admin Console and feature settings. If not all group members should have administrator access, then apply a non-administrator role, such as Help Desk or Site Manager, to the group. To grant higher permissions, apply the administrator or other roles to individual users from the group.

Members of the group used will now have access to the Admin Console when signing in.

IdP Template window showing the Admin Group Name field highlighted near the bottom.