Group rules

GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are an important asset so leveraging them properly is important. Groups simplify administration in various ways, including the ability to determine who gets access to applications, who is assigned a certain role in an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., and who gets subjected to security policies. Unfortunately, managing groups can be tedious, especially if users must be added and removed manually.

Using group rules

The Group Rules feature simplifies the administration of groups. Creating rules allows you to automatically populate Okta groups based on rules that you define. For example, instead of manually populating a group named "Sales" in Okta, you can define a rule that populates the group with users whose attribute department = "sales". If a user's attribute value changes, Okta reevaluates the rule and removes the user from the group, as needed. Rules can be defined from the following:

  • A single attribute
  • Multiple attributes
  • A single group
  • Multiple groups
  • Combinations of attributes and groups

The resulting groups can be used like any other group in Okta. Groups are commonly used to assign SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access within Okta and to provision users to apps with specific entitlements (roles, profiles, etc). When rules are configured to populate groups based on attributes, you achieve attributed-based access control (ABAC).

Use Group Rules to

  • Avoid manually adding users to groups to determine app assignments:
    • Automatically assign users to apps via groups based on a user's attributes.
    • Drive app assignment changes based on a user's profile.
  • Avoid manually managing lots of groups for every app or role combination.
  • Populate Active Directory (AD) groups based on whether a user has a certain attribute:
    • Particularly useful in "Workday (WD) as a master" setups for which Okta provisions users and groups to AD. Example: Using the cost center attribute from WD to determine AD group memberships.
    • Map Okta groups to AD groups
    • Avoid PowerShell scripts
    • Avoid expensive 3rd party tools
  • Automate provisioning with rules:
    • Example: if user profile attribute == X, then provision app Y with Role Z.
  • Map multiple AD groups to one Okta group:
    • If users belong to AD groups A, B, and C, then add them to Okta group X.
    • Use existing groups to drive group memberships in the cloud.
    • No need for redundant group management.
  • Assign users matching certain criteria to multiple groups with one rule, so that you don't have to setup multiple rules for the same criteria.

Configuring Group Rules

The following constraints apply to all group rules.

  1. Group rules get triggered when the following events occur:
    1. An attribute mentioned in the User profile changes
    2. The User's group membership changes. This is applicable to both user and app groups.
  2. There is a limit of 2000 rules for an orgThe Okta container that represents a real-world organization..

To start creating your own rules, do the following:

  1. From the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Dashboard navigate to Directory> Groups.
  2. Click the Rules tab, then the Add Rule button.
  3. Create a name for your rule.

You now have two mechanisms for building a rule:

Expression Builder

  • Simply point and click to create a rule
  • Best used to create simple rules
  • Create rules from one attribute
  • Create rules from one or more groups

The following displays example rules for the Expression Builder

Evaluate a Single Attribute

Evaluate A Single Group

User-added image

Evaluate Multiple Groups

Expression Editor

  • More customizable expressions with Expression Language functions
  • Used to create complex rules
  • Create rules from one or more attributes
  • Create rules from one or more groups
  • Create rules from combinations of attributes and groups

The following displays example rules for the Expression Editor

For details and conditions about using this option, see Conditions of the Expression Editor.

Evaluate Multiple Attributes

User-added image

Evaluate Combinations of Attributes and Groups

Please note that both mechanisms allow you to exclude individual users, and that attributes can only come from the Okta user profile. So if you want to evaluate attributes from WD, AD, or other sources, map them to the Okta user profile attributes first.

  1. Specify single or multiple Okta groups in which the user should be placed if the rule condition is met, as shown below.

  2. If needed, specify any users that should be excluded from the rule in the Exclude Users field under Options, as shown below


Adding users into the Exclude users field prevents the rule from acting on the excluded user. If the user did not satisfy the rules for being in the group, even meeting those conditions later will not add them to it. If they are already a member of the group, they will not be removed if they no longer meet the condition.

Note: The Excluded users field can only accept a maximum of 100 users.

  1. Use the Preview field to preview how your rule will execute, as shown below.

  2. When finished, click the Save Rule button.

After your rule is created and saved, it is inactive by default. Once activated, it will run across your entire user population. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.

Note: To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.

To quickly verify your group membership changes, do the following:

  1. From the Groups page, click the All tab.
  2. Scroll down to the relevant group. Note the change in the People column for updates to the number of members.
  3. Click on the group name to view its page.
  4. You can verify the membership and who added the user.

Edit your rules

After completion, the rules you've created appear under the Rules tab.

To edit your existing rules, click the Edit button—keeping in mind that a rule can only be edited when its status is Inactive.

User-added image

In an inactive rule, click the Edit button to change the conditions of the rule or, add or remove members from the excluded users list. Here is where you can also remove users from the Exclude users list, as needed.

User-added image

Note: The one element you cannot delete is an assigned group. To remove or change a previously assigned group, you must delete the rule and create a new one. To delete an inactive rule, click the X.

Add People Manually

It is still possible to manually add or remove users to a rule-managed group, even if rules for that group already exist. Users added this way are displayed as such in the



If a user is manually added to a group then, through profile changes, begins to meet the condition, they will automatically become managed by the rule. When you add a rule-managed user of the group into the Exclude users field, they are automatically excluded from the rule.

Conditions of the Expression Editor


  • Expressions must have a valid syntax and use logical operators, leveraging the Okta Expression Language.
  • Expressions must evaluate to Boolean.
  • Expressions cannot contain an assignment ("=") operator.
  • User attributes used in expressions can only refer to available Okta user attributes.

Supported Functions

  • Most functions are supported in Okta Expression Language.
    Note: In the context of custom Expression for Group Rules, only group and user attributes are supported. You cannot use customer expressions that use an application attribute.
  • The AND operator
  • The OR operator
  • The "!" operator (aka NOT operator)
  • Standard arithmetic operators like < , > <= , >=


One common error is using "=" instead of "==" for equality checks.


Assume that user has the following attributes with types :

  • firstName (String)
  • lastName (String)
  • city (String)
  • salary (Int)
  • isContractor (Boolean)
Examples of valid condition expression
If (implicit) Condition Expression

Assign to Group (or any action)

If String.stringContains(user.firstName, "dummy") dummyUsers
If == "San Francisco" sfo
If user.salary > 1000000 expensiveEmployee
If ! user.isContractor fullTimeEmployees
If user.salary > 1000000 AND !user.isContractor expensiveFullTimeEmployee