Group rules

GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. enable admins to determine who gets access to applications, who is assigned a certain role in an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., and who gets subjected to security policies. Unfortunately, managing groups can be tedious, especially if users must be added and removed manually.

Create group rules

The following applies to all group rules.

  • Group rules get triggered when the following events occur:
    • An attribute mentioned in the user profile changes
    • The user's group membership changes. This is applicable to both user and app groups.
    • A user is reactivated
  • Orgs can have a maximum of 2000 rules.
  • Group rules cannot be used to assign users to admin groups.
  • A group that is already the target of a group rule cannot be granted admin privileges.
  • Only Super admins and OrgThe Okta container that represents a real-world organization. admins can edit rules.
  • Only Group admins who manage all groups can search for and view rules. Individual group admins cannot search for or view rules.

Create your group rules

  1. Go to Directory > Groups.
  2. Select the Rules tab, and then click Add Rule.
  3. Create a name for your rule.

You have two methods for building a rule. Both allow you to exclude individual users, and both require that attributes only come from the Okta user profile. So if you want to evaluate attributes from Workday, Active Directory, or other sources, you need to map them to the Okta user profile attributes first.

After a rule is created and saved, it is inactive by default. Once activated, it will run across your entire user population. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.

Note: To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.

Manage users manually

You can still manually manage users in a group, even if other users in the group are managed by rules.

  • A user who is manually added to a group is managed Manually.
  • If a new rule adds users to that group, and the manually managed user meets the new rule's conditions, that user becomes managed By rule ABC.
  • If a rule-managed user is manually removed from a group, the user is automatically added to the rule's Except The following users field.

Verify your group membership changes

  1. Go to Groups > All.
  2. Scroll to the relevant group. Note the change in the People column for updates to the number of members.
  3. Click the group name to view its page.
  4. Verify the membership and who added the user.

Edit group rules

  1. Go to Groups > Rules and find the rule you want to edit. You can search by group name or by the conditions and Expression Language used in a rule.
  2. If the rule's status is Active, click Actions > Deactivate. Only inactive rules can be edited.
  3. Click Actions > Edit.
  4. Change the conditions of the rule or modify the list of excluded users. You can't change the groups assigned to the rule--you have to delete the rule and create a new one.