Examples of Okta Expression Language

Okta Expression Language (EL) allows super admins, app admins, and customs admins with specific permissions to reference, transform, and combine user attributes and group information. While creating or modifying a policy rule, you can use Okta Expression Language expressions to define the user scope.

Tips

  • Review the Okta Expression Language documentation to familiarize yourself with the syntax.
  • Ensure that your expression evaluates to a boolean when defining users:
    • True to include the users from the rule.
    • False to exclude users from the rule.
  • Start with simple expressions and gradually add conditions to make sure that your expression works as expected.
  • Test your expression using the Preview functionality.
  • Use any value stored on a user’s profile to restrict the scope of a rule.
  • Use either the group's ID or name to reference a group in your expression. Okta recommends that you use a group's ID because it doesn’t change.
  • Use the following symbols to denote an operator:
    • AND or && to denote the And operator.
    • OR or || to denote the Or operator.
    • ! to denote the Not operator.

Sample expressions

Use case Sample expression
Restrict a rule to members of a certain group. Use either of these expressions:
  • user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'})

  • user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'})

Include all users except members of certain groups. Use either of these expressions:
  • !user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'})

  • !user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'})

Include users who are a member of both groups. user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) && user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})
Only include users who are a member of at least one of the two groups. Use either of these expressions:
  • user.isMemberOf({'group.id': '00gjitX9HqABSoqTB0g3'}) || user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})

  • user.isMemberOf({'group.id': {'00gjitX9HqABSoqTB0g3', '00garwpuyxHaWOkdV0g4'}})

Include users who are a member of one group but aren't a member of another group

user.isMemberOf({'group.profile.name': 'West Coast Users', 'operator': 'EXACT'})&&

!user.isMemberOf({'group.id': '00garwpuyxHaWOkdV0g4'})

Include users with Active status in the rule.

user.status == 'ACTIVE'

Restrict a rule based on the user's profile attributes, such as department, state, or cost center. For exact matches, use: user.profile.department != null && user.profile.department == "Finance Department"

For partial matches, use: user.profile.department != null && user.profile.department.contains("Finance")

Use a combination of user profile attributes and groups to define complex expressions to include the following users:

  • Users who are in the Human Resources department or a department with the word 'Communications' in the name; and
  • Users who aren’t a member of the EMEA group; and
  • Users who are in at least one of three groups (Interns, Contractors, or Partners).
user.profile.department != null &&(user.profile.department.contains("Communications") || user.profile.department == "Human Resources") && !user.isMemberOf({'group.profile.name': 'EMEA', 'operator': 'EXACT'}) && user.isMemberOf({'group.profile.name': {"Interns", "Contractors", "Partners"}, 'operator': 'EXACT'})

Related topics

Manage policy

Preview policy