<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Group Rule Limitations and Restrictions
Mar 30, 2026
Lifecycle Management
Okta Classic Engine
Okta Identity Engine
Overview

Okta Group Rules have specific limitations and restrictions that affect rule creation, assignment targets, user attribute support, and editing behavior. Review the following constraints, including group assignment limits, user exclusion limits, realm scoping, and expression language restrictions, to successfully deploy and manage Group Rules within an Okta organization.

Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Group Rules
  • Attributes
  • Lifecycle Management
  • Custom Profiles
  • Non-Default User Types
  • Okta Expression Language (OEL)
  • User Statuses
Solution

What are the limitations and restrictions for Okta Group Rules?

 

The following limitations and restrictions apply to Okta Group Rules.

 

General Limitations

  • An Okta org can support up to 2,000 Group Rules.
  • Group Rule names support a maximum of 50 characters.
  • A user can be assigned to up to 100 groups via a single Group Rule. See Create Group Rules for details.
  • A single Group Rule can support up to 100 excluded users. See Create Group Rules for details.
 

Rule Creation and Conditions

  • Only string attributes are supported in basic condition Group Rules.
  • The returned value of an expression is expected to be a Boolean type.
  • The Convert and Time functions are not supported in Group Rule expressions.
  • Cascading rules cause performance issues and must be avoided. A cascading rule is a Group Rule that references groups also populated by one or more other Okta Group Rules.
    • Incorrect method:
      • Rule 1: IF user.city == "San Francisco", THEN assign to group "California".
      • Rule 2: IF isMemberOfGroupName("California"), THEN assign to group "West Coast".
    • Correct method:
      • Create one rule: IF user.city == "San Francisco", THEN assign user to "California" AND "West Coast".

 

Rule Assignment Targets

  • Group Rules cannot be used to assign users to admin groups.
  • A group that is already the target of a Group Rule cannot be granted admin privileges.
  • The target groups assigned to a Group Rule cannot be modified after the rule is created. To change which groups a rule assigns users to, the existing rule must be deleted and a new rule must be created with the updated target groups.

 

Editing Rule Conditions

 

Only inactive Group Rules can be edited. To change the conditions or expressions of an active Group Rule:

  1. Deactivate the rule.
  2. Edit the rule conditions.
  3. Reactivate the rule.

 

See Edit Group Rules for details.

 

Administrative Permissions

  • Only Super Admins and Org Admins can edit rules.
  • Only Group Admins who manage all groups can search for and view rules. Individual Group Admins cannot.

 

Group Rule Scope

 

Group Rules apply across the entire Okta organization. Group Rules cannot be scoped to a specific realm or subset of users. See Realms requirements for details.

 

User Attributes and Types

 

  • Group Rules support the user.getInternalProperty("status") function to retrieve the current status of a user. See Okta user ID and status for details. Other internal system attributes are not supported in Group Rules.
  • Custom user type attributes are not supported with Group Rules:
    • Group membership rules validate only against the default Okta user type.
    • If the expression is not valid for the default Okta user type — for example, if it references a property that exists only in a custom user type — the rule cannot be saved or previewed.
    • If a Group Rule references a property that exists only for the default Okta user type and not a custom user type, the expression treats the property as null when evaluated for the custom user.

Okta Identity Engine and Expression Language

 

For OIE orgs, Okta Expression Language (OEL) expressions used outside of application policies must continue to use the features and syntax of the legacy Okta Expression Language.

User Status and Rule Execution

 

Group Rules do not apply to Deactivated or Deleted users.

  • Users in the Deactivated status who were assigned to Okta groups via Group Rules can be removed from those groups only by using the Okta Groups API.
  • Okta removes users from all Okta groups — including all application assignments and role assignments through group membership — when those users are deleted.
  • Deactivated users may remain in groups, as Okta automatically unassigns deactivated users from Okta applications (except in specific rare cases), and deactivated users cannot sign in to Okta.

 

Group Rules run against users with the following statuses: Locked Out, Staged, Suspended, Password Reset, and Pending User Action.

 

The following list indicates whether Group Rules apply based on user status:

 

Group Rules apply:

  • Locked Out
  • Staged
  • Suspended
  • Password Reset (Recovery)
  • Pending User Action (Provisioned)

 

Group Rules do not apply:

  • Deactivated (Deprovisioned)
  • Deleted

 

Related References

Recommended content

Still looking for help?
Loading
Okta Group Rule Limitations and Restrictions