This article details the triggers that lead to a user's inclusion in a group exclusion list by Okta System (SystemPrincipal).

• Groups
• Group Rules
• User Lifecycle Management

• An Okta User was added to a group by a configured group rule and was manually removed from this group by an admin via the admin console UI.
• An Okta User was added to a group by a configured group rule and was manually removed from this group by manual or automated group API.

This is expected behavior as documented in Create Group Rules:
"If you manually remove a rule-managed user from a group, that user automatically gets added to Except The following users for that rule."

This is seen with the System Log event type "group.user_membership.rule.add_exclusion" when a user is removed from a group membership that was assigned using a group rule (see Event Types Catalog for other events). For example:

1. The user was a member of group "Group A" through group rule "Group Rule A".
   • In such cases, the groups in the user profile will show something like the following:

2. An admin can click on the X to remove the user from membership of this group.
   • When this operation happens, Okta System (SystemPrincipal) will add the user to the group rule exclusion list with the message "User added to the exclusion list for group rule." 
   • This is done as the admin has implicitly told the Okta System to manually override the rule and remove the user from group membership.
   • If not excluded, the user would be added back to the group the next time the group rule evaluates and would not respect the Okta admin's manual action.

The Okta System Log result will record two separate events:

1. The User added to the exclusion list for the group rule event "group.user_membership.rule.add_exclusion" automated action by SystemPrincipal.
2. Remove user from group membership "group.user_membership.remove" made by the Okta Admin.

The added exception will show under Directory > Groups > Rules > search for the rule in list > Actions > View.