According to the Okta Expression Language article on group rules, Time functions are not supported in group rules, but this can be bypassed by leveraging another attribute that will hold a temporary value, based on which a group rule will be defined.

NOTE: This also applies to any other profile master with a string DateTime attribute. For consistency purposes, the Time.now function is not recommended for use.

• Okta Expression Language (OEL)
• Group Rules
• Active Directory (AD)
• Attribute Level Mastery

Please follow the below video or steps:

1. Define a boolean data type attribute on the Okta profile, which will hold the temporary value by navigating to the Directory > Profile Editor > User(default) and clicking the +Add Attirbute button, defining the attribute as shown below:

2. Next, create a new mapping for the above attribute from the AD attribute, which passes the account creation date value from AD to Okta (in this case, it will be appuser.whenCreated) by using the following expression:

   (Time.fromIso8601ToWindows(appuser.whenCreated) >= Time.fromIso8601ToWindows("2022-01-01T00:00:00.000Z")) ? true:false

 

NOTE: The whenCreated field is not imported from Active Directory by default and needs to be added.
 

3. Now, proceed to create the rule that will parse the new attribute created, which will only contain the user.createdLater == true expression for parsing:

Related References

• Okta Expression Language