Group rules

GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. are an important asset so leveraging them properly is important. Groups simplify administration in various ways, including the ability to determine who gets access to applications, who is assigned a certain role in an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., and who gets subjected to security policies. Unfortunately, managing groups can be tedious, especially if users must be added and removed manually.

Create group rules

The following applies to all group rules.

  • Group rules get triggered when the following events occur:
    • An attribute mentioned in the User profile changes
    • The User's group membership changes. This is applicable to both user and app groups.
    • A user is reactivated
  • There is a limit of 2000 rules for an orgThe Okta container that represents a real-world organization..
  • Group rules cannot be used to assign users to admin groups.
  • A group that is already the target of a group rule cannot be granted admin privileges.

Create your group rules

  1. Navigate to Directory > Groups.
  2. Select the Rules tab, then click the Add Rule button.
  3. Create a name for your rule.

You now have the following two mechanisms for building a rule. Both mechanisms allow you to exclude individual users, and attributes can only come from the Okta user profile. If you want to evaluate attributes from Workday, Active Directory, or other sources, you need to map them to the Okta user profile attributes first.

After a rule is created and saved, it is inactive by default. Once activated, it will run across your entire user population. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.

Note: To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.

Add people manually

It is possible to manually add or remove users to a rule-managed group, even if rules for that group already exist. Users added this way are displayed as such.

If a user manually added to a group through profile changes begins to meet a condition, they automatically become managed by the rule. When you add a rule-managed user of the group into the Exclude users field, they are automatically excluded from the rule.

Verify your group changes

To quickly verify your group membership changes, do the following:

  1. Navigate to Groups > All.
  2. Scroll down to the relevant group. Note the change in the People column for updates to the number of members.
  3. Click on the group name to view its page.
  4. You can verify the membership and who added the user.

Edit group rules

Navigate to Groups > Rules, find the rule you want to edit, and select Actions > Edit to change the conditions of the rule or to add or remove members from the excluded users list.


  • Group admins can search for and view rules only if they manage all groups (individual group admins cannot view rules).
  • You can search for a rule based on the group name, or on the conditions and Expression Language used in a rule.
  • Group admins cannot edit rules.
  • Rules can only be edited when their status is Inactive.
  • You cannot delete an assigned group. To remove or change a previously assigned group, you must delete the rule and create a new one. To delete an inactive rule, click the X.