About group rules
Group rules simplify group administration and help you manage application access, application roles, and security policies.
Groups are commonly used for Okta single sign-on (SSO) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve attribute-based access control. You can create rules using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.
Use group rules to:
Map multiple Active Directory (AD) groups to a single Okta group. You can also use rules to map Okta groups to AD groups.
Populate AD groups based on user attributes. Rules are particularly useful in "Workday (WD) as a source" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.
Simplify the management of groups. Instead of manually adding users to a group, you can define a rule that automatically adds users with the required attribute. For example, a user with the department = "sales" is automatically added to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically.
Automate provisioning. Instead of manually provisioning users to an app, you can define a rule that automatically provisions users with the required attribute. For example, if user profile attribute == X, then provision app Y with Role Z.
Keep the following restrictions in mind:
- Orgs can have a maximum of 2000 rules.
- Group rules can't be used to assign users to admin groups.
- You can only use string attributes in basic condition group rules.
- A group that is already the target of a group rule can't be granted admin privileges.
- Only super admins and org admins can edit rules.
- Only group admins who manage all groups can search for and view rules. Individual group admins can't search for or view rules.