When Group rules are used with the Okta Expression Language (OEL) isMemberOfGroupName, in some scenarios, it might appear that the rules are not executed correctly. Specifically, some users match the rule even though they are not present in the source group. This can lead to confusion and the assumption that the group rules are not functioning correctly.
- Group Rules
- Lifecycle Management
- Okta Expression Language (OEL)
The issue is that, within Okta, groups can have identical names yet be different according to their group IDs.
- For example, it is possible to have in the tenant:
- An Okta group called "Engineering"
- An AD-sourced group also called "Engineering"
- Another group from an Org2Org, also called "Engineering"
- In effect, that would be an Okta group and two additional app groups with the same name from three sources.
The expression isMemberOfGroupName checks for a user's membership within ALL groups in Okta, and if the user is a part of at least one of the "Engineering" groups, it will return a positive match.
- For example, the user John Smith is part of the Okta Group "Engineering", and another user, Bob Alan, is part of the AD-sourced group "Engineering". Neither of them is present on both. Since the
isMemberOfGroupNamelogic is checking all groups, both users will return with a positive match.
To avoid a situation like this, the best option would be to use the isMemberOfGroup("GroupID")expression instead of isMemberOfGroupName, as the GroupID is a unique static value.
If it is mandatory to use isMemberOfGroupName for visibility, ensure that the group name is unique within Okta and that there are no additional groups with the same name sourced from other applications.
Also, please ensure that the same group within the group rule is not used for application assignments and Push groups to the same application.
