ShawnF.64297 (Customer) asked a question.
Hello,
Is it possible to user a user profile attribute such as division or department, combine with a group membership expression, to remove a person from a group populated by a rule. I have a rule I am testing and I have more people in the results than needed.
Users are in the first group by matching criteria in the rule. Some of these users that match are not needed. Therefore I want to put them into a 2nd group for exceptions. Then I want to reference that exception group in the rule to filter them out from the rule's group.
Example:
User1 is in department "sales"
User2 is in department "sales"
User1 is needed in the group "sales-test" populated by the rule created, using "sales" as user.department.
User2 is also matching, therefore is put into sales-test.
How can I put user2 into another group that is used as the exception to the rule, effectively keeping user1 in and user2 out?
I am not doing a campaign, and read this article on campaigns. Not sure if what I want is possible and how.
If there any expression that equates to "unless" or "with the exception of" to override the expression that puts a user into a group to begin with?
I attempted a rule like this with Okta expression language, and the users to exclude still ended up in the group via the rule.
If
user.division=="Department Name"
or
!isMemberOfGroupName("Group-to-exclude")
Then
Assign to "groupname-for-rule"
Except users (empty as the exceptions are too many to enter)
"Or"was replaced with "and", and the result was the same. I am still learning the expression language with boolean.
Hi @ShawnF.64297 (Customer) , Thank you for reaching out to the Okta Community!
The Group Rules feature is mainly used to add users to groups not remove them. You can prevent users from being added via the exception list, which like you mentioned is not scalable or by setting up conditions that clearly separate the users.
You would need to have defining attributes or at least group memberships that set those users apart.
In the example you provided, there's no distinction to be made with the information that is currently available.
If for example those user would be both in the "sales" department but in different locations defined in their profiles, like "city" or "state" then you can set up rules to separate them.
Example:
User1 - department: "sales"
- state: "New York"
User2 - department: "sales"
- state: "California"
---------
IF Use Okta Expression Language (advanced)
user.department == "sales" AND user.state == "New York"
THEN Assign to
"sales-test"
---------
Only User1 would get added to the "sales-test" group.
Pre-existing group memberships could be used in similar fashion.
User1 - department: "sales"
- Group: "Full-time Employees"
User2 - department: "sales"
- Group: "Contractors"
---------
IF Use Okta Expression Language (advanced)
user.department == "sales" AND isMemberOfGroupName("Full-time Employees")
THEN Assign to
"sales-test"
---------
Only User1 would get added to the "sales-test" group.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
💡 Community Moderator Tip: Join a group today and connect with other Okta customers by region or product.