Group Membership Rules (Beta) Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

Group Membership Rules (Beta)

Aug 26, 2015 | by Thomas Hill in Administration

Original Author: Aaron Yee, Technical Marketing Manage, Okta

We are excited to release a beta feature called Group Membership Rules!  Formerly known as Rules Engine, Attribute-based Groups, and Dynamic Groups (too many names!), this powerful enhancement makes the administration of groups easier and more automated.

Disclaimer: During beta, this feature can be evaluated by all customers (regardless of Okta edition). However, after this feature progresses from beta to EA, it will be available only in the Enterprise Plus Edition of Okta.



Groups are quite important within Okta. They determine who gets access to applications, who gets assigned a certain role in an app, who gets subjected to security policies, etc. In short, they simplify administration. However, managing groups can be tedious, especially if users must be manually added to and removed from them.


The Enhancement

Group Membership Rules automatically populate Okta groups with users based off conditions that you define. For example, instead of manually populating a Sales group in Okta, you can define a rule that populates the group with users whose attribute department=“sales”. If a user’s attribute value changes, Okta will reevaluate the rule and remove the user from the group if needed. Rules can be defined from the following:

  • A single attribute
  • Multiple attributes
  • A single group
  • Multiple groups
  • Combinations of attributes and groups                               

The resulting groups can then be used just like any other group in Okta. Groups are commonly used to assign SSO access within Okta and to provision users to apps with specific entitlements (roles, profiles, etc). When rules are configured to populate groups based off attributes, you achieve attributed-based access control (ABAC).

Example Screenshots

Populate a Group From an Attribute


Populate a Group From Existing Groups


Populate a Group From Groups and Attributes Using Okta's Expression Language


To Participate in the Beta

  • Send an email to with a subject of "Group Membership Rules". Please include the following:
    • Your name
    • Contact info (email and phone)
    • End-to-end description of what you hope to achieve with this feature.
  • Your participation won't take much time
    • I will personally contact you, send more documentation and enable the feature
    • It takes 5 minutes to configure
    • You play with the feature, and I'll contact you after 2-3 weeks to get feedback




  • Vikash Daya on March 21, 2018

    How do we use string arrays in group rules?  Online documentation does not cover this.

    I have a user attribute for Role (type=string with enumerated values) and an attribute for Environment (type=string array with enumerated values).  I can evaluate the Role using [user.role=="some role"] but can't find any documentation that shows how to evaluate a string array. I'm assuming this would be something like [Array.contains(user.environment,"demo")] or [String.stringContains(user.environment,"demo")].
    None of these work.

    Can you advise on how to evaluate arrays that contain enumerated values please?

    Thanks in advance.