Examples of Okta Expression Language

Okta Expression Language (EL) allows super admins and access certifications admins to reference, transform, and combine user attributes and group information. While creating or modifying an access certification campaign, you can use Okta Expression Language expressions to define:

  • Users to restrict your campaign to a subset of users.
  • Reviewers to customize reviewers for each user.

Tips

  • Review the Okta Expression Language documentation to familiarize yourself with the syntax.
  • Use the ternary operator [Condition] ? [Value if TRUE] : [Value if FALSE] to build conditions for defining the dynamic reviewers.
  • Ensure that your expression evaluates to a boolean when defining users:
    • True to include the users.
    • False to exclude them from the campaign.
  • When defining reviewers:
    • Ensure that your expression evaluates to either the user ID or the username of a single Okta user. If the expression doesn’t, the Fallback reviewer defined in the campaign builder will be assigned to review all items for that user.
    • It’s helpful to think of reviewer logic into IF/THEN terms for each user when building your expressions. For example, for user A, if condition P is true, then assign reviewer B.
  • Start with simple expressions and gradually add in conditions to make sure that your expression works as expected.
  • Test your expression using the Preview functionality on the Users and Reviewers pane.
  • Use any value stored on a user’s profile and group to restrict the scope of a campaign.
  • Use either the group's ID or name to reference a group in your expression. Okta recommends that you use a group's ID as it doesn’t change.
  • Use
    • && to denote the And operator.
    • || to denote the Or operator.
    • ! to denote the Not operator.

Define user scope

Use Okta Expression Language to limit the scope of the access certification campaign to a set of users based on their profile attributes and group membership. Your custom expression must evaluate to true to include the users or false to exclude them from the campaign.

Ensure that your expression evaluates to a boolean: True to include the users or False to exclude them from the campaign.

See Okta Expression Language for more information.

Sample expressions

Use caseSample expression
Restrict a campaign to members of a certain group. user.isMemberOf({'group.profile.name': 'West Coast Users'}) or user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'})
Include all users except members of certain groups.!user.isMemberOf({'group.profile.name': 'West Coast Users'}) or !user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}))
Include users who are a member of both groups.user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) && user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})
Include only users who are a member of at least one of the two groups.

user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) || user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})

or

user.isMemberOf({'group.id': {'00gjitX9HqABSoqTB0g3', '00garwpuyxHaWOkdV0g4'}})

Include users who are a member of one group but aren't a member of another groupuser.isMemberOf({'group.profile.name': 'West Coast Users'}) && !user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})

Include users with Active status for campaigns.

user.status == 'ACTIVE'

Exclude users with Deprovisioned or Suspended status for campaigns.

These users retain their group assignments even when they're in a Suspended or Deactivated state. However, these users only retain their app assignments in a Suspended state.

user.status not in ['DEPROVISIONED','SUSPENDED']

Restrict a campaign based on the user's profile attributes, such as department, state, or cost center.

For exact matches, use: user.profile.department == "Finance Department")

For partial matches, use: user.profile.department.contains(“Finance”)

Use a combination of user profile attributes and groups to define complex expressions to include users who:

  • Are in a department whose name contains the word 'communications' or are in the Human Resources department; and
  • Aren’t a member of the EMEA group; and
  • Are in at least one of the three groups - Interns, Contractors, or Partners.
(user.profile.department.contains(“Communications”) || user.profile.department == "Human Resources") && !user.isMemberOf({'group.profile.name': 'EMEA'}) && user.isMemberOf({'group.profile.name': {"Interns", "Contractors", "Partners"}})

Define dynamic reviewers

Use Okta Expression Language to customize the reviewer for each user. For example, you want to set a user’s manager to review their access, or designate a review for different teams or departments. Before creating Okta Expression Language expressions, see Tips.

Ensure that your expression evaluates to either the user ID or the username of a single Okta user. If the expression doesn’t return a user or is invalid, then the Fallback reviewer you defined while creating the campaign will be assigned to review all items for that user.

It’s helpful to think of reviewer logic into IF/THEN terms for each user when building your expressions. For example, for user A, if condition P is true, then assign reviewer B.

Sample expressions

Use caseSample expression
Assign the user's manager to each user. user.profile.managerId
Assign a user’s manager to only users with a certain profile attribute (in this case, department is Department 1), and a specific reviewer for all other users.user.profile.department == "Human Resources" ? user.profile.managerId : "jsmith@example.com"

Assign one group owner as the reviewer for a group that has at least one defined owner.

user.findGroupAndGetOwners({'group.id': 'groupId'}, 'USER')[0]

Assign the group owner as the reviewer for a group that has one or more owners.

user.findGroupAndGetOwners({'group.id': 'groupId'}, 'USER')[0]

Assign a reviewer for users who are members of a particular group.

user.isMemberOf({'group.profile.name': 'West Coast Users'}) ? "westcoastreviewer@example.com" : "otherreviewer@example.com"

In addition, to assign the Fallback Reviewer for users who are not in the group, use:

user.isMemberOf({'group.profile.name': 'West Coast Users'}) ? "westcoastreviewer@example.com" ? null

Assign a reviewer for users who are members of two groups. Otherwise, assign the user's manager. (user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) && user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})) ? 'groupreviewer@example.com' : user.profile.managerId
Assign a reviewer for users who are a member of at least one of the two groups. Otherwise, assign the Fallback reviewer. user.isMemberOf({'group.id': {'00gjitX9HqABSoqTB0g3', '00garwpuyxHaWOkdV0g4'}}) ? "groupreviewer@example.com" : null
Assign a reviewer for users who are a member of one group, but not a member of another group. Otherwise, assign the user's manager. (user.isMemberOf({'group.profile.name': 'West Coast Users'}) && !user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})) ? "groupreviewer@example.com" : user.profile.managerId

Related topics

Create campaigns

Modify a scheduled campaign

End an active campaign