Group rules
Group rules simplify group administration and help you manage application access, application roles, and security policies.
Groups are commonly used for Okta Single Sign-On (SSO) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve Attribute-Based Access Control. You can create rules using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.
Use group rules to:
-
Map multiple Active Directory (AD) groups to a single Okta group. You can also use rules to map Okta groups to AD groups.
-
Populate AD groups based on user attributes. Rules are particularly useful in "Workday (WD) as a source" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.
-
Simplify the management of groups. Instead of manually adding users to a group, you can define a rule that automatically adds users with the required attribute. For example, a user with the department profile attribute value of "sales" is automatically added to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically.
-
Automate provisioning. Instead of manually provisioning users to an app, you can define a rule that automatically provisions users with the required attribute. For example, if user profile attribute == X, then provision app Y with role Z.
Keep the following restrictions in mind:
- Orgs can have a maximum of 2000 rules.
- Group rules can't be used to assign users to admin groups.
- You can only use string attributes in basic condition group rules.
- A group that is already the target of a group rule can't be granted admin privileges.
- Only super admins and org admins can edit rules.
- Only group admins who manage all groups can search for and view rules. Individual group admins can't search for or view rules.