GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are an important asset so leveraging them properly is important. Groups simplify administration in various ways, including the ability to determine who gets access to applications, who is assigned a certain role in an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., and who gets subjected to security policies. Unfortunately, managing groups can be tedious, especially if users must be added and removed manually.
The Group Rules feature simplifies the administration of groups. Creating rules enables you to automatically populate Okta groups based on rules that you define. For example, instead of manually populating a group named "Sales" in Okta, you can define a rule that populates the group with users whose attribute department = "sales". If a user's attribute value changes, Okta reevaluates the rule and removes the user from the group, as needed. Rules can be defined from:
- A single or multiple attributes
- A single or multiple groups
- Combinations of attributes and groups
The resulting groups can be used like any other group in Okta. Groups are commonly used to assign SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access within Okta and to provision users to apps with specific entitlements (roles, profiles, etc). When rules are configured to populate groups based on attributes, you achieve attributed-based access control.
Use Group Rules to
- Avoid manually adding users to groups to determine app assignments:
- Automatically assign users to apps via groups based on a user's attributes.
- Drive app assignment changes based on a user's profile.
- Avoid manually managing lots of groups for every app or role combination.
- Populate Active Directory (AD) groups based on whether a user has a certain attribute:
- Particularly useful in "Workday (WD) as a master" setups for which Okta provisions users and groups to AD. Example: Using the cost center attribute from WD to determine AD group memberships.
- Map Okta groups to AD groups
- Avoid PowerShell scripts
- Avoid expensive 3rd party tools
- Automate provisioning with rules:
- Example: if user profile attribute == X, then provision app Y with Role Z.
- Map multiple AD groups to one Okta group:
- If users belong to AD groups A, B, and C, then add them to Okta group X.
- Use existing groups to drive group memberships in the cloud.
- No need for redundant group management.
- Assign users matching certain criteria to multiple groups with one rule, so that you don't have to setup multiple rules for the same criteria.
The following applies to all group rules.
- Group rules get triggered when the following events occur:
- An attribute mentioned in the User profile changes
- The User's group membership changes. This is applicable to both user and app groups.
- There is a limit of 2000 rules for an orgThe Okta container that represents a real-world organization..
To create your group rules
- Navigate to Directory > Groups.
- Select the Rules tab, then click the Add Rule button.
- Create a name for your rule.
You now have the following two mechanisms for building a rule. Both mechanisms allow you to exclude individual users, and attributes can only come from the Okta user profile. If you want to evaluate attributes from Workday, Active Directory, or other sources, you need to map them to the Okta user profile attributes first.
Simply point and click to create a rule.
- Best used to create simple rules
- Create rules from one attribute
- Create rules from one or more groups
- Specify single or multiple Okta groups in which the user should be placed if the rule condition is met.
- If needed, specify any users that should be excluded from the rule in the Except field.
Adding users into the Except field prevents the rule from acting on the excluded user. If the user did not satisfy the rules for being in the group, even meeting those conditions later will not add them to it. If they are already a member of the group, they will not be removed if they no longer meet the condition.
- Use the Preview field to check whether your rule executes correctly.
- When finished, click the Save button.
More customizable expressions, used to create complex rules.
- Create rules from one or more attributes
- Create rules from one or more groups
- Create rules from combinations of attributes and groups
- Expressions must have a valid syntax and use logical operators, leveraging the Okta Expression Language.
- Expressions must evaluate to Boolean.
- Expressions cannot contain an assignment ("=") operator.
- User attributes used in expressions can only refer to available Okta user attributes.
- Most functions are supported in Okta Expression Language.
Note: In the context of custom Expression for Group Rules, only group and user attributes are supported. You cannot use customer expressions that use an application attribute.
- The AND operator
- The OR operator
- The "!" operator (aka NOT operator)
- Standard arithmetic operators like < , > <= , >=
Examples of valid condition expressions
Assume that user has the following attributes with types :
- firstName (String)
- lastName (String)
- city (String)
- salary (Int)
- isContractor (Boolean)
|If (implicit)||Condition Expression||Assign to Group (or any action)|
|If||user.city == "San Francisco"||sfo|
|If||user.salary > 1000000||expensiveEmployee|
|If||user.salary > 1000000 AND !user.isContractor||expensiveFullTimeEmployee|
For more details, refer to the Okta Expression Language reference.
After a rule is created and saved, it is inactive by default. Once activated, it will run across your entire user population. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.
It is possible to manually add or remove users to a rule-managed group, even if rules for that group already exist. Users added this way are displayed as such.
If a user manually added to a group through profile changes begins to meet a condition, they automatically become managed by the rule. When you add a rule-managed user of the group into the Exclude users field, they are automatically excluded from the rule.
To verify your group changes
To quickly verify your group membership changes, do the following:
- Navigate to Groups > All.
- Scroll down to the relevant group. Note the change in the People column for updates to the number of members.
- Click on the group name to view its page.
- You can verify the membership and who added the user.
Edit group rules
Navigate to Groups > Rules, find the rule you want to edit, and select Actions > Edit to change the conditions of the rule or to add or remove members from the excluded users list.