Group rules simplify group administration and help you manage application access, application roles, and security policies.
You can create rules to automatically populate Okta groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.. For example, instead of manually adding users to a Sales group, you can define a rule that automatically adds users with the attribute department = "sales" to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically. Rules can be created using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.
Groups are commonly used for Okta single sign-on (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve attributed-based access control.
Use group rules to:
Automatically assign users to applications.
- Manage application assignments.
- Simplify the management of groups.
- Populate Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) groups based on user attributes.
- Rules are particularly useful in "Workday (WD) as a master" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.
- Rules can map Okta groups to AD groups.
- Rules enable you to avoid PowerShell scripts.
- Rules can replace expensive 3rd party tools.
- Automate provisioning. For example, if user profile attribute == X, then provision appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Y with Role Z.
- Map multiple AD groups to a single Okta group.
- Assign users to multiple groups.
You can use basic conditions or the Okta Expression Language to create rules. Both methods allow the exclusion of individual users, and both require that attributes come from the Okta user profile. To evaluate attributes from Workday, Active Directory, or other sources, you need to map them to Okta user profile attributes first.
- In AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Directory > Groups.
- Select the Rules tab, and then click Add Rule.
- Complete these fields:
- Name — Enter a name for the rule.
— Select one of these options:
- Use basic condition — Select options from the drop-down lists to create a rule. Use this method to create simple rules, like those from a single attribute or from one or more groups only.
- Use Okta Expression Language (advanced) — Select this option to create complex rules with custom expressions:
- Create rules from one or more attributes
- Create rules from one or more groups
- Create rules from combinations of attributes and groups
- Constraints: Expressions must have a valid syntax and use logical operators, leverage the Okta Expression Language, expressions must evaluate to Boolean, expressions cannot contain an assignment ("=") operator, and user attributes used in expressions can only refer to available Okta user attributes
- Supported Functions: The AND operator, the OR operator, the "!" operator (the NOT operator), and standard arithmetic operators like < , > <= , >=. For equality checks, use "==" instead of "=". Most functions are supported in Okta Expression Language. However, in the context of custom Expression for Group Rules, only group and user attributes are supported. You cannot use custom expressions that use an application attribute.
Examples of valid condition expressions: Assume that user has the following attributes with types:
- firstName (String)
- lastName (String)
- city (String)
- salary (Int)
- isContractor (Boolean)
If (implicit) Condition Expression Assign to Group (or any action) If String.stringContains(user.firstName, "dummy") dummyUsers If user.city == "San Francisco" sfo If user.salary > 1000000 expensiveEmployee If ! user.isContractor fullTimeEmployees If user.salary > 1000000 AND !user.isContractor expensiveFullTimeEmployee
- In the Then Assign to field, enter the single or multiple groups to which the user should be added if the rule condition is met.
- In the Except The following users field, enter the names of any users you want to exclude from the rule. A maximum of 100 users can be excluded from a rule.
- Click Save.
After a rule is created and saved, it is inactive by default. Once activated, it is applied to your entire orgThe Okta container that represents a real-world organization.. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.
Note: To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.
You can manually manage users in a group, even if other users in the group are managed by rules.
- A user who is manually added to a group is managed Manually.
- If a new rule adds users to that group, and the manually managed user meets the new rule's conditions, that user becomes managed By rule ABC.
- If a rule-managed user is manually removed from a group, the user is automatically added to the rule's Except The following users field.
- When you add or remove users from a group, the process runs as a background task, and depending on the number of users being added or removed, can take significant time to complete. During the addition or removal process, the Manage People button is inactive, and a notification appears indicating the progress of the request. Another notification appears when the request completes successfully.
Verify group membership changes
- In Admin Console, go to Directory > Groups.
- Click the All tab and scroll to a group. Note the change in the People column for updates to the number of members.
- Click the group name to view group members.
- Verify how the user was added.
Edit group rules
Only inactive rules can be edited.
- In Admin Console, go to Directory > Groups
- Click the Rules tab and find the rule you want to edit. You can search by group name, conditions, or the Expression Language used in a rule.
- Click Actions > Edit.
- Change the rule settings or modify the list of excluded users. If you want to change the groups assigned to the rule, you need to delete the rule and create a new one.
Remember that group rules are applied to your entire org, and they can be triggered whenever you change a user's profile, group membership, or lifecycle state. Observe these best practices when creating group rules:
- Review your existing rules to prevent duplicate conditions. Creating three separate rules with the same condition means that eligible users are members of three separate groups. Additional rules take longer to evaluate, and they can stretch your org's group limit.
- Eliminate cascading rules. Cascading rules cause performance issues because they refer to a group that is populated by another rule. For example, Rule 1 says If user.city == "San Francisco", then assign to group California. Rule 2 says if user isMemberOf(California), then assign to group West Coast. Solve this by creating a rule that says If user.city == "San Francisco", then assign user to California and West Coast.
- Preview your rules on a test user before you save it. Group rules are enforced immediately after they are activated. During rule setup, enter a test user's name in the Preview field. Verify that the user was evaluated correctly, and then save and activate your rule.
Note the following restrictions on group rules:
- Orgs can have a maximum of 2000 rules.
- Group rules cannot be used to assign users to admin groups.
- A group that is already the target of a group rule cannot be granted admin privileges.
- Only Super admins and Org admins can edit rules.
- Only Group admins who manage all groups can search for and view rules. Individual group admins cannot search for or view rules.