<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Expression Issue for User Status
Feb 3, 2026
Lifecycle Management
Okta Classic Engine
Okta Identity Engine
Overview

This article addresses the usage of the user status expression "status==Active" and/or "status==suspended" in group rules. Situations may arise where admins are looking to set up group rules using the Okta user status expressions, such as "status==Active" and/or "status==suspended" but are outputting values for users that do not match the rule.

Applies To
  •  Group rules
Cause

This issue is caused by the expression validator that does not distinguish between the user's Okta status (except the Deactivated status). 

This issue is being investigated, but for now, this form of expression should not be used in group rules.

Solution

While standard status expressions are currently invalid, use user.getInternalProperty("status") to achieve the desired result.

For example, to exclude suspended users, use: user.getInternalProperty("status") != "SUSPENDED"

Alternatively, admins can target specific attributes such as user.attribute1=="valueX" or a combination of attribute expressions and group expressions (isMemberOfGroup("groupId")

 

Related References

Recommended content

Still looking for help?
Loading
Okta Expression Issue for User Status