KaiM.97482 (Customer) asked a question.
looking for a group rule that works to sync active users and removes newly suspended or deactivated users
for new group rule, looks like user.getInternalProperty("status") != "SUSPENDED" this express works to exclude suspended and deactivated users. but adding this express to any existing rule, it only remove suspended users, but doesn't remove deactivated users from the group. Is there a way a group can remove a user when their status become deactivated/suspended?
Hello @KaiM.97482 (Customer) , thank you for contacting Okta Community.
Group rules are not suited for removing deactivated users. Instead, you should use an automation tool, like an API or a Workflow. See the articles below for details:
How to Remove Deactivated Users from Okta Groups using API
How to Remove a User From Groups When the User Is Deactivated using Workflows
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
@KaiM.97482 (Customer) -- Deactivated (deprovisioned) and suspended are entirely different user status states. For rules where have more than one state you want to match you would need to explicitly define them. User status's: https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-end-user-states.htm
The group rules are only going to apply after conditions are met. Group rules also do not run against deactivated(deprovisioned) users. As mentioned by Diana you would need to build out an alternate automation to handle this scenario. The scenario would be Event Hook initiated on user.lifecycle.deactivate. The target of the event hook could be Okta Workflows (Either via API Endpoint or using the Okta - User Deactivated event card) or some other solution that you develop. You could then take additional API actions when the user goes into a deactivated state beyond what you currently are capable of.