About group rules

Group rules simplify group administration and help you manage application access, application roles, and security policies. You can use group rules to:

  • Map multiple AD groups to a single Okta group.
  • Populate Active Directory (AD) groups based on user attributes.
    • Rules are particularly useful in "Workday (WD) as a master" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.
    • Rules can map Okta groups to AD groups.
    • Rules enable you to avoid PowerShell scripts.
    • Rules can replace expensive 3rd party tools.

  • Automatically assign users to applications.

  • Manage application assignments.
  • Simplify the management of groups.
  • Automate provisioning. For example, if user profile attribute == X, then provision app Y with Role Z.
  • Assign users to multiple groups.

You can create rules to automatically populate Okta groups. For example, instead of manually adding users to a Sales group, you can define a rule that automatically adds users with the attribute department = "sales" to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically. Rules can be created using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.

Groups are commonly used for Okta single sign-on (SSO) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve attributed-based access control.

The following are the group rules restrictions:

  • Orgs can have a maximum of 2000 rules.
  • Group rules cannot be used to assign users to admin groups.
  • You can only use string attributes in basic condition group rules.
  • A group that is already the target of a group rule cannot be granted admin privileges.
  • Only super admins and org admins can edit rules.
  • Only group admins who manage all groups can search for and view rules. Individual group admins cannot search for or view rules.

See also