SandeepA.25600 (Customer) asked a question.
Looked at the Workflow Template to manage Okta group membership based on profile attributes for RBAC implementation. The template is a good starting point but we have hundreds of such attribute based rules in our legacy system for various apps/role combination. If group membership is granted based on multiple attributes with different AND/OR/NOT combination, if there any easier way to implement. Group rules can be an alternate but then I heard Group rules have limitation on the max number else it would have performance issues. The only way to implement then is through workflow which means you need to define individual attributes as columns for evaluation and then implement the workflow for each combination using logical cards for evaluation. This can easily lead to multiple workflow card combination to suffice each condition for each application role especially when you have >1000 apps.
I'm not aware of any out of the box functionality to address the above requirement. Anyone implemented such complex persona based RBAC in Okta workflows where a Business Analyst can also define such rules and don't have to update workflows everytime a new attributes combination is required as workflow is easy to implement but can very easily become unmanageable with no governance/guidance.
@SandeepA.25600 (Customer) -- You are correct this type of use case would definitely be better handled leveraging Group Rules as this is essentially exactly what you are trying to accomplish. However, as you indicated there are limits to the maximum allowed in an org. In this scenario I would suggest reaching out to your Okta CSM or AE and have a discussion about your orgs needs and the current shortcomings you are running into.
To answer the Workflows side question. Yes, it might be possible but the complexity for creating / setting something up like this would be extremely high and may not be super reliable based on the scale you are describing. Additionally, the complexity would likely make it near impossible for someone other than the creator to modify without a massive time investment. Finally, tracking down "Why" something failed would likely be very challenging also. So while it may be possible to implement this definitely is not an ideal use case for Workflows.
Workflows also has limits that would need to be taken into consideration as part of the planning phase: https://help.okta.com/wf/en-us/content/topics/workflows/workflows-system-limits.htm