Examples of Okta Expression Language
Okta Expression Language (EL) allows super admins and access certifications admins to reference, transform, and combine user attributes and group information. While creating or modifying an access certification campaign, you can use Okta Expression Language expressions to take the following actions:
- Restrict your campaign to a subset of users
- Customize reviewers for each user
Tips
- Review the Okta Expression Language documentation to familiarize yourself with the syntax.
- Use the ternary operator [Condition] ? [Value if TRUE] : [Value if FALSE] to build conditions for defining the dynamic reviewers.
- Ensure that your expression evaluates to a boolean when defining users:
- True to include the users.
- False to exclude them from the campaign.
- Do the following tasks when you define reviewers:
- Ensure that your expression evaluates to either the user ID or the username of a single Okta user. If the expression doesn't, the system assigns the Fallback reviewer defined in the campaign builder to review all items for that user.
- It's helpful to think of reviewer logic into IF/THEN terms for each user when building your expressions. For example, for user A, if condition P is true, then assign reviewer B.
- Start with simple expressions and gradually add in conditions to make sure that your expression works as expected.
- Test your expression using the Preview functionality on the Users and Reviewers pane.
- Use any value stored on a user's profile and group to restrict the scope of a campaign.
- Use either the group's ID or name to reference a group in your expression. Okta recommends that you use a group's ID as it doesn't change.
- Use the following symbols to denote an operator:
- && to denote the And operator.
- || to denote the Or operator.
- ! to denote the Not operator.
Define user scope
Use Okta Expression Language to limit the scope of a campaign to certain users based on their profile attributes and group membership. Your custom expression must evaluate to true to include the users or false to exclude them from the campaign.
Ensure that your expression evaluates to a boolean: True to include the users or False to exclude them from the campaign.See Okta Expression Language for more information.
Sample expressions
Use case | Sample expression |
---|---|
Restrict a campaign to members of a certain group. | user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) or user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) |
Include all users except members of certain groups. | !user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) or !user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) |
Include users who are a member of both groups. | user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) && user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'}) |
Only include users who are a member of at least one of the two groups. | user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) || user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})
or user.isMemberOf({'group.id': {'00gjitX9HqABSoqTB0g3', '00garwpuyxHaWOkdV0g4'}}) |
Only include users who belong to a specific realm in the campaign. | user.realmId == "o4cbj6ybZl1QShj0g7" or user.realmId == "guo4c8usniIlFgluO0g7" or user.realmId == "guo4c7skrkbxDgJ140g7" Use this expression only if you have the Realms feature enabled.. |
Include users who are a member of one group but aren't a member of another group. | user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) |
Include users with Active status for campaigns. This expression doesn't include users who have Provisioned or Staged status. | user.status == 'ACTIVE' or user.status == 'PASSWORD_EXPIRED' or user.status == 'LOCKED_OUT' or user.status == 'RECOVERY' |
Restrict a campaign based on the user's profile attributes, such as department, state, or cost center. | For exact matches, use this expression:
user.profile.department == "Finance Department" For partial matches, use this expression: user.profile.department.contains("Finance") |
Use a combination of user profile attributes and groups to define complex expressions to include the following users:
| (user.profile.department.contains("Communications") || (user.profile.department.contains("Communications") || user.profile.department == "Human Resources") && !user.isMemberOf({'group.profile.name': 'EMEA', 'operator': 'EXACT' }) && user.isMemberOf({'group.profile.name': {{"Interns", "Contractors", "Partners"}, 'operator': 'EXACT'}}) |
Define dynamic reviewers
Use Okta Expression Language to customize the reviewer for each user. For example, you want to set a user's manager to review their access, or designate a review for different teams or departments. Before creating Okta Expression Language expressions, see Tips.
Ensure that your expression evaluates to either the user ID or the username of a single Okta user. If the expression doesn't return a user or is invalid, then the system assigns the Fallback reviewer you defined while creating the campaign to review all items for that user.
It's helpful to think of reviewer logic into IF/THEN terms for each user when building your expressions. For example, for user A, if condition P is true, then assign reviewer B.
Sample expressions
Use case | Sample expression |
---|---|
Assign the user's manager to each user. | user.profile.managerId |
Assign a user's manager to only users with a certain profile attribute (in this case, department is Department 1), and a specific reviewer for all other users. | user.profile.department == "Human Resources" ? user.profile.managerId : "jsmith@example.com" |
Assign one group owner as the reviewer for a group that has at least one defined owner. | user.findGroupAndGetOwners({'group.id': 'groupId'}, 'USER')[0] |
Assign the group owner as the reviewer for a group that has one or more owners. | user.findGroupAndGetOwners({'group.id': 'groupId'}, 'USER')[0] |
Assign a reviewer for users who are members of a particular group. | user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) ? "westcoastreviewer@example.com" : "otherreviewer@example.com" In addition, to assign the Fallback Reviewer for users who aren't in the group, use this expression: user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) ? "westcoastreviewer@example.com" ? null |
Assign reviewers who belong to a specific realm | user.realmId == "guo4c8usniIlFgluO0g7" ? "jane@gmail.com":(user.realmId == "guo4c8usniIlFgluO0g7" ? "joe@gmail.com":"joea@gmail.com") Use this expression only if you have the Realms feature enabled.. |
Assign a reviewer for users who are members of two groups. Otherwise, assign the user's manager. | (user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) && user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})) ? 'groupreviewer@example.com' : user.profile.managerId |
Assign a reviewer for users who are a member of at least one of the two groups. Otherwise, assign the Fallback reviewer. | user.isMemberOf({'group.id': {'00gjitX9HqABSoqTB0g3', '00garwpuyxHaWOkdV0g4'}}) ? "groupreviewer@example.com" : null |
Assign a reviewer for users who are a member of one group, but not a member of another group. Otherwise, assign the user's manager. | (user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'}) && !user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})) ? "groupreviewer@example.com" : user.profile.managerId |