nc77h (nc77h) asked a question.
I'm relatively new to Okta and have been trying to tidy up my Organization's apps. Currently working on Box, and I think I have everything setup properly, but push groups have me slightly confused.
So I created an AD group for Okta to have the Box app assigned to it, then several other AD groups that would be used as push groups in Okta to Box, with no app assignments. After converting the individual assignments to groups, now if I view anyone's assignments the check-boxes are all empty, but Okta does show they are a member of the group as well as in Box.
Is this by design? I'm guessing I could also assign the Box app to all the push groups with their respective groups assigned, but it seems odd to have to do that since Okta already knows it's a push group?
Hi Kuzma,
Are the extra groups so that you can assign users to different Box.com groups? If so you may want to consider leveraging OKTA Expression Language:
https://developer.okta.com/reference/okta_expression_language/
It does take a little bit to understand and get used to, but makes OKTA administration a lot easier and powerful when you get a hang of it.
If you're trying to accomplish what I mentioned at the start, you can use OKTA Expression Language to achieve this within the same app assignment. If you're doing API provisioning, you would put the logic in profile editor (OKTA to Box) and specifically the isMemberOfGroupName expression.
The logic would look something like this, isMemberOfGroupName("AD_Group1")?"Box_Group1":"Box_Group2"
What that says is if user is member of AD Group 1, the question mark= THEN, put them in Box Group 1, the ":" means ELSE put them in Box Group 2.