Okta provides the ability to create group rules, which can be utilized to assign or exclude users from groups. These rules can be built with basic conditions or using the advanced Okta Expression Language, which allows for more complex rules.
Prior to evaluating attributes from external sources such as Workday or Active Directory, it is necessary to map them to Okta user profile attributes.
- Okta Universal Directory
- Group Rule
- User Access Management
To create a group rule, follow video or steps below:
- Navigate to the Admin Console, and select Directory > Groups.
- Choose the Rules tab.
- Click on Add Rule.
- Enter a Name for the rule.
- Select an IF condition.
-
-
Basic conditions allow for simple rules based on string attributes, while the Okta Expression Language allows for custom expressions and more complex rules based on attributes and groups.
-
-
If the rule condition is met, determine the group or groups to assign the user to in the THEN Assign to field.
-
A maximum of 100 groups can be assigned to a user.
-
-
In the EXCEPT The following users field, enter the names of any users to be excluded from the rule.
-
A maximum of 100 users can be excluded from a rule.
-
-
Click Save to create the rule.
The rule will be inactive by default and will be applied to the entire organization when activated. The rule will run on a user when their profile is updated through import, direct updating, or other changes, but will not affect users in a Pending or Inactive state.
Group Rules and Okta Expression Language
It is possible to use the Okta Expression Language to create a custom expression within a group rule. Custom expressions can be utilized to refine conditions and reference one or more attributes. Additional information about the Okta Expression Language can be found in the Expressions in group rules documentation.
There are several constraints to group rule conditions. Expressions must use Okta Expression Language and adhere to a valid syntax while using logical operators. They must evaluate to a Boolean and cannot contain an assignment ( = ) operator. Expressions can only refer to available Okta user attributes. Application attributes are not supported.
Most functions are supported by the Okta Expression Language, such as Boolean operators (AND, OR, ! (NOT)), arithmetic operators (<, >, <=, >=), and equality checks (==).
Okta Group Rule expressions have specific limitations regarding function support. The following categories of functions are not supported when creating these expressions:
- Convert: Functions that handle data type transformations (for example, converting strings to numbers) cannot be used.
- Array: Functions designed to operate on collections of data (for example, checking for element existence or filtering arrays) are not available.
- Time: Functions dealing with date and time manipulations or comparisons are not supported within Group Rule expressions.
This restriction is in place to ensure optimal performance and maintain the simplicity of evaluating group membership rules, especially within large user bases. For scenarios requiring these types of operations, it is typically necessary to manipulate user or profile attributes before the Group Rule evaluation or to consider alternative Okta features for group assignment.
