Realm assignments simplify the user onboarding process for organizational structures with multiple profile sources such as Okta users , Active Directory and LDAP-sourced users, or others externally. It enables admins to add or move users from various profile sources or another realm to a designated realm.

If you've enabled realms, a default catch-all assignment is automatically generated. This assignment applies to users who don't meet any other realm assignment conditions. The catch-all assignment always has the lowest priority. Because a user can fulfill multiple realm assignments, you can set a priority order for the realm assignment. When a user is added from a profile source, Okta evaluates the realm assignments based on priority and applies them only if all conditions are met.

Before you begin

  • Ensure that you’re signed in as a super admin.
  • You must have an existing realm. See Create realms.

Create a realm assignment

  1. In the Admin Console, go to Directory Realms.

  2. Select a realm and click Realm assignment.

  3. Click Create realm assignment.

  4. In the Create realm assignment page, configure the following:

    Configuration per org Maximum Maximum
    Name Enter a name.
    Profile source Select a source.
    Priority Select an option for assignment priority.
    Scope Optional. Configure user attributes to define the specific users that should be included in the realm. You can set the following filter options:
    • Field

    • Operator

    • Value

    Alternatively, you can use Okta Expression Language for advanced configuration. When creating a realm assignment, you can use uppercase or lowercase to add case sensitivity into the Okta Expression Language.

    The following Okta Expression Language functions are currently not supported: getOwners, findGroupAndGetOwners, getGroups, and isMemberOf.

    Realm Assign a realm.
  5. Optional. Click Actions, and then update the realm assignment priority.

  6. Click Save.

  7. Optional. Activate the rule and run realm assignments. see Manage realm assignments.

Manage realm assignments

After you create an assignment, it must be activated for new users to be placed in the correct realms based on their qualifying assignment. To perform other tasks such as editing or moving assignment priority, you must first deactivate the job. Once you activate an assignment, you can run it to reconcile existing users. See Run realm assignment jobs.

  1. In the Admin Console, go to Directory Realms.

  2. Select the Realm assignments tab.

  3. On the realm assignment, click Actions.

  4. To update an active rule, first deactivate the rule.

  5. Select an action that you want to complete. For example, to edit an assignment, click Edit.

  6. Follow any additional prompts.

  7. Once edits have been completed, reactivate the rule.

Run realm assignment jobs

Running an assignment only affects existing users. This feature is useful when a user is added to a realm for the first time or when users are moved due to a change in the organization. You can run individual assignments or all assignments at once. If you make any changes to your realm assignments, Okta recommends running all of them to reconcile all users.

You can monitor the realm assignment jobs by clicking the Monitor user movement tab on the Realms page. This displays a summary of jobs in progress, completed, and failed for the past seven days.

  1. In the Admin Console, go to Directory Realms.

  2. Select the Realm assignments tab.

  3. On the realm assignment, click Actions and then click Run.

  4. To run all realm assignments, click Run all realm assignments.

  5. Click Run all realm assignments to confirm.

