Original Author: Aaron Yee, Technical Marketing Manage, Okta
We are excited to release a beta feature called Group Membership Rules! Formerly known as Rules Engine, Attribute-based Groups, and Dynamic Groups (too many names!), this powerful enhancement makes the administration of groups easier and more automated.
Disclaimer: During beta, this feature can be evaluated by all customers (regardless of Okta edition). However, after this feature progresses from beta to EA, it will be available only in the Enterprise Plus Edition of Okta.
Groups are quite important within Okta. They determine who gets access to applications, who gets assigned a certain role in an app, who gets subjected to security policies, etc. In short, they simplify administration. However, managing groups can be tedious, especially if users must be manually added to and removed from them.
Group Membership Rules automatically populate Okta groups with users based off conditions that you define. For example, instead of manually populating a Sales group in Okta, you can define a rule that populates the group with users whose attribute department=“sales”. If a user’s attribute value changes, Okta will reevaluate the rule and remove the user from the group if needed. Rules can be defined from the following:
- A single attribute
- Multiple attributes
- A single group
- Multiple groups
- Combinations of attributes and groups
The resulting groups can then be used just like any other group in Okta. Groups are commonly used to assign SSO access within Okta and to provision users to apps with specific entitlements (roles, profiles, etc). When rules are configured to populate groups based off attributes, you achieve attributed-based access control (ABAC).
Populate a Group From an Attribute
Populate a Group From Existing Groups
Populate a Group From Groups and Attributes Using Okta's Expression Language
To Participate in the Beta
- Send an email to email@example.com with a subject of "Group Membership Rules". Please include the following:
- Your name
- Contact info (email and phone)
- End-to-end description of what you hope to achieve with this feature.
- Your participation won't take much time
- I will personally contact you, send more documentation and enable the feature
- It takes 5 minutes to configure
- You play with the feature, and I'll contact you after 2-3 weeks to get feedback