Due to a limitation on the GitHub Enterprise side, the "Roles" attribute can only be set for individual users, not for entire Okta groups. This article explores the option of leveraging Okta Expression Language to push the "Roles" attribute based on group membership.

• GitHub Enterprise
• Provisioning
• Okta Integration Network (OIN)

The limitation is described in the following GitHub Enterprise Configuring SCIM provisioning with Okta documentation.

To bypass this limitation, isMemberOfGroupName or isMemberOfGroup conditioning can be used. Okta groups will have to be configured for each separate Role, and users assigned based on their required role.

The value of each role can be found in Directory > Profile Editor > GitHub Enterprise User > Roles > Attribute members, under the Value column.

Examples

The following expression will check for all users assigned to the Billing Group, and push the billing role downstream into GitHub Enterprise for the matching users.

isMemberOfGroupName("Billing") ? "billing" : null

The following expression will achieve the same functionality; however, the Okta group ID has to be leveraged instead of the group name.

isMemberOfGroup("group Id") ? "billing" : null

Based on the conditioning rules above, complex expressions can be built to account for all GitHub Enterprise roles:

isMemberOfGroupName("GROUP1") ? "user" : isMemberOfGroupName("GROUP2") ? "owner" : isMemberOfGroupName("GROUP3") ? "manager" : isMemberOfGroupName("GROUP4") ? "collaborator" : null