This article demonstrates how to add and remove users from groups using Group Rules and Exceptions. 

• Groups
• User Attributes
• Group Rules
• User Lifecycle Management
• Okta Classic Engine

In certain scenarios, an Okta admin may create group rules that pull certain information from the User's attributes, such as the department attribute, to place them in the proper groups for their job category. Admins may also need to automatically change the user's application set should they transfer to a different department.

As an example, here are two groups that each have a set of distinct applications:

• Sales - (Salesforce, Workday, ADP).
• Finance - (Salesforce, eTrade, Fidelity).

If there are sets of users that belong to one group or another, Okta Admins can designate an attribute to parse a group rule, such as the following:
 

When activated, the above group rule will evaluate the Universal Directory (UD) for users with the Sales value in their department attribute. If this matches, it will add the user to the Sales Group.

If a user is manually removed from the Sales Group, they are automatically added to the EXCEPT The following users box in the above screenshot. This allows the group rule to continue to run on any new users with the Sales value in the department attribute without erroneously re-adding any manually removed users.

However, if a user's attribute changes, for example, to Finance, then as long as the group rule remains active, those users will be removed from the Sales Group but will not get added to the list of exceptions. If the user's department attribute is reverted to Sales, the group rule reapplies, and the user is re-added to the group.

NOTE: This, however, does not apply to using the Manage People button in the group (example below). Using it adds the users to two lists: Members and Not Members. Those users are not added to the rule under EXCEPT the following users.