This article details how to exclude specific groups in a group rule. 

• Groups Rules
• Groups
• Okta Expression Language (OEL)
• User Lifecycle Management

• Cascading rules cause performance issues because they refer to a group that is populated by another Okta group rule. For example:
  • Rule 1 says If user.city == "San Francisco", then assign to group California.
  • Rule 2 says if user isMemberOf(California), then assign to group West Coast.
• Solve this by creating a rule that says IF user.city == "San Francisco", then assign user to California and West Coast.

The below Okta expression language syntax can be used to exclude any group in groups rule. This needs to be added in the IF section of the group rule:

!isMemberOfGroup("group1_id") and isMemberOfAnyGroup("group2_id", "group3_id", "group4_id")

Example: 

!isMemberOfGroup("00g2tci67uot3oLKV4x7") and isMemberOfAnyGroup("00g2tcisn0Ld1KaCv4x7", "00g2tchmgfq1bMNrk4x7", "00g2tcgig5cnjE7Y54x7")

• Because group names can be edited, imported, or have duplicate names from multiple sources, best practice will be to specify the groupId where possible.
• These conditions may be further concatenated with other attribute evaluations.
• NOTE: Cascading rules cause performance issues because they refer to a group that is populated by another rule. Ensure to eliminate rules that attempt to cascade memberships by group rule.

!isMemberOfGroupName("group1_name_not_included") and isMemberOfGroupName("group2_name_included")

• In the above example, members of group1 will not be included and members of group2 will be included while checking the group's rule condition.
• NOTE: Cascading rules cause performance issues because they refer to a group that is populated by another rule. Ensure to eliminate rules that attempt to cascade memberships by group rule.

Related References

• Okta Expression Language overview
• How to use the Okta Expression Language for Group Output
• Group rules best practices
• Group Rule Limitations and Restrictions