GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. enable admins to determine who gets access to applications, who is assigned a certain role in an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., and who gets subjected to security policies. Unfortunately, managing groups can be tedious, especially if users must be added and removed manually.
The Group Rules feature simplifies the administration of groups. Creating rules enables you to automatically populate Okta groups based on rules that you define. For example, instead of manually populating a group named "Sales" in Okta, you can define a rule that populates the group with users whose attribute department = "sales". If a user's attribute value changes, Okta reevaluates the rule and removes the user from the group, as needed. Rules can be defined from:
- A single or multiple attributes
- A single or multiple groups
- Combinations of attributes and groups
The resulting groups can be used like any other group in Okta. Groups are commonly used to assign SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access within Okta and to provision users to apps with specific entitlements (such as roles or profiles). When rules are configured to populate groups based on attributes, you achieve attributed-based access control.
Use Group Rules to:
- Avoid manually adding users to groups to determine app assignments.
- Rules can automatically assign users to apps through groups based on a user's attributes.
- Rules can drive app assignment changes based on a user's profile.
- Avoid manually managing multiple groups for every app or role combination.
- Populate Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) groups based on whether a user has a certain attribute.
- Rules are particularly useful in "Workday (WD) as a master" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.
- Rules can map Okta groups to AD groups.
- Rules enable you to avoid PowerShell scripts.
- Rules can replace expensive 3rd party tools.
- Automate provisioning with rules. For example, if user profile attribute == X, then provision app Y with Role Z.
- Map multiple AD groups to one Okta group.
Rules eliminate the need for redundant group management.
- If users belong to AD groups A, B, and C, then add them to Okta group X.
- Use existing groups to drive group memberships in the cloud.
- Assign users matching certain criteria to multiple groups with one rule, so that you don't have to setup multiple rules for the same criteria.
The following applies to all group rules.
- Group rules get triggered when the following events occur:
- An attribute mentioned in the user profile changes
- The user's group membership changes. This is applicable to both user and app groups.
- A user is reactivated
- Orgs can have a maximum of 2000 rules.
- Group rules cannot be used to assign users to admin groups.
- A group that is already the target of a group rule cannot be granted admin privileges.
- Only Super admins and OrgThe Okta container that represents a real-world organization. admins can edit rules.
- Only Group admins who manage all groups can search for and view rules. Individual group admins cannot search for or view rules.
Create your group rules
- Go to Directory > Groups.
- Select the Rules tab, and then click Add Rule.
- Create a name for your rule.
You have two methods for building a rule. Both allow you to exclude individual users, and both require that attributes only come from the Okta user profile. So if you want to evaluate attributes from Workday, Active Directory, or other sources, you need to map them to the Okta user profile attributes first.
Point and click to create a rule. This method is recommended when you want to create simple rules, like those from a single attribute or from one or more groups only.
- In the Then Assign to field, specify single or multiple Okta groups in which the user should be placed if the rule condition is met.
- Specify any users that should be excluded from the rule in the Except The following users field. Excluding users from a rule is useful if you have users who meet the criteria of a rule but do not belong in the group, but it can also be used for a user who is already in the group but does not meet the rule criteria. Excluding these users from the rule will keep them in the group. If you decide later to include these users in the rule, you need to edit the rule and manually remove their names from the Except field.
Note: The Except field can only accept a maximum of 100 users.
- Use the Preview field to check whether your rule executes correctly.
- Click Save .
Create complex rules with customizable expressions:
- Create rules from one or more attributes
- Create rules from one or more groups
- Create rules from combinations of attributes and groups
- Expressions must have a valid syntax and use logical operators, leveraging the Okta Expression Language.
- Expressions must evaluate to Boolean.
- Expressions cannot contain an assignment ("=") operator.
- User attributes used in expressions can only refer to available Okta user attributes.
- The AND operator
- The OR operator
- The "!" operator (aka NOT operator)
- Standard arithmetic operators like < , > <= , >=. Note that for equality checks, use "==" instead of "=".
- Most functions are supported in Okta Expression Language. However, in the context of custom Expression for Group Rules, only group and user attributes are supported. You cannot use customer expressions that use an application attribute.
Examples of valid condition expressions
Assume that user has the following attributes with types :
- firstName (String)
- lastName (String)
- city (String)
- salary (Int)
- isContractor (Boolean)
|If (implicit)||Condition Expression||Assign to Group (or any action)|
|If||user.city == "San Francisco"||sfo|
|If||user.salary > 1000000||expensiveEmployee|
|If||user.salary > 1000000 AND !user.isContractor||expensiveFullTimeEmployee|
For more details, refer to the Okta Expression Language reference.
After a rule is created and saved, it is inactive by default. Once activated, it will run across your entire user population. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.
Note: To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.
You can still manually manage users in a group, even if other users in the group are managed by rules.
- A user who is manually added to a group is managed Manually.
- If a new rule adds users to that group, and the manually managed user meets the new rule's conditions, that user becomes managed By rule ABC.
- If a rule-managed user is manually removed from a group, the user is automatically added to the rule's Except The following users field.
Verify your group membership changes
- Go to Groups > All.
- Scroll to the relevant group. Note the change in the People column for updates to the number of members.
- Click the group name to view its page.
- Verify the membership and who added the user.
Edit group rules
- Go to Groups > Rules and find the rule you want to edit. You can search by group name or by the conditions and Expression Language used in a rule.
- If the rule's status is Active, click Actions > Deactivate. Only inactive rules can be edited.
- Click Actions > Edit.
- Change the conditions of the rule or modify the list of excluded users. You can't change the groups assigned to the rule--you have to delete the rule and create a new one.