Nesting Groups Skip to main content
https://support.okta.com/help/answers?id=906f0000000i04zias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Wayne KalseyWayne Kalsey 

Nesting Groups

Hello,

We have a group named Box_Users in our Active Directory that syncs up to OKTA.  We have to add each individual to this group in order for them to have access to Box.

There is a built-in group within AD named "Domain Users".  Instead of adding each individual to Box_Users, we would like to just add "Domain Users" to the Box_Users group.  Does Okta support this type of nesting?

Unfortunatly, we can't use the built-in Okta group "Everyone" because we don't want our Okta Mastered users to see the Box icon.

Any thoughts on this would be appreciated.
James GarvinJames Garvin (Okta)
Hi Wayne,

There is an Early Access Feature called Group Membership Rules, which will allow you to create a dynamic group membership rule based on specific criteria, like "is a member of Domain Users."  You would need to contact Support to enable this feature.  

You could create an Okta Mastered Group, set the rule for the Group "is a member of Domain Users," and then push that group to Box.  That would solve your problem and allow you more robust management.  
Wils DawsonWils Dawson (Okta, Inc.)
Hi Wayne,

Is there a reason why you can't assign the "Domain Users" AD group to Box? That way you can get a direct assignment without the nesting you're talking about. Another approach to this might be to use our Group Membership Rules: https://support.okta.com/help/articles/Knowledge_Article/Using-Group-Membership-Rules

Hope that helps,
Wils
Wayne KalseyWayne Kalsey
Thank you both for your replies.

In answer to the question about 'why can't I assign the Domain Users AD group to Box', that is because it does not appear in an OU that gets imported from Okta.  It is in the "Built In" OU of AD.  That is not listed in the Directory Integrations.  Were you able to import Domain Users?

Group membership rules sounds like a possible option.

Based on both responses, you got me thinking... I see that you can attach a directory to a group.  So I am thinking of creating an Okta Mastered group and then attaching the domain directory to that group.  Does that sound like it would work?

 
Wils DawsonWils Dawson (Okta, Inc.)
Gotcha. I'll let James take it from here as he's more familiar with that.