About group rules
Group rules simplify group administration and help you manage application access, application roles, and security policies. You can use group rules to:
You can create rules to automatically populate Okta groups. For example, instead of manually adding users to a Sales group, you can define a rule that automatically adds users with the attribute department = "sales" to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically. Rules can be created using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.
Groups are commonly used for Okta single sign-on (SSO) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve attributed-based access control.
The following are the group rules restrictions:
- Orgs can have a maximum of 2000 rules.
- Group rules cannot be used to assign users to admin groups.
- You can only use string attributes in basic condition group rules.
- A group that is already the target of a group rule cannot be granted admin privileges.
- Only super admins and org admins can edit rules.
- Only group admins who manage all groups can search for and view rules. Individual group admins cannot search for or view rules.