You can use basic conditions or the Okta Expression Language to create rules. Both methods allow the exclusion of individual users, and both require that attributes come from the Okta user profile. To evaluate attributes from Workday, Active Directory, or other sources, you need to map them to Okta user profile attributes first.
- In the Admin Console, go to Directory > Groups.
- Select the Rules tab, and then click Add Rule.
- Complete these fields:
- Name — Enter a name for the rule.
— Select one of these options:
- Use basic condition — Select options from the drop-down lists to create a rule using string attributes only. Use this method to create simple rules, like those from a single attribute or from one or more groups only.
- Use Okta Expression Language (advanced) — Select this option to create complex rules with custom expressions:
- Create rules from one or more attributes
- Create rules from one or more groups
- Create rules from combinations of attributes and groups
- Constraints: Expressions must have a valid syntax and use logical operators, leverage the Okta Expression Language, expressions must evaluate to Boolean, expressions cannot contain an assignment ("=") operator, and user attributes used in expressions can only refer to available Okta user attributes
- Supported Functions: The AND operator, the OR operator, the "!" operator (the NOT operator), and standard arithmetic operators like < , > <= , >=. For equality checks, use "==" instead of "=". Most functions are supported in Okta Expression Language. However, in the context of custom Expression for Group Rules, only group and user attributes are supported. You cannot use custom expressions that use an application attribute.
Examples of valid condition expressions: Assume that user has the following attributes with types:
- firstName (String)
- lastName (String)
- city (String)
- salary (Int)
- isContractor (Boolean)
Assign to Group (or any action)
If String.stringContains(user.firstName, "dummy") dummyUsers If user.city == "San Francisco" sfo If user.salary > 1000000 expensiveEmployee If ! user.isContractor fullTimeEmployees If user.salary > 1000000 AND !user.isContractor expensiveFullTimeEmployee
- In the Then Assign to field, enter the single or multiple groups to which the user should be added if the rule condition is met. The maximum number of groups to which a user can be added is 100.
- In the Except The following users field, enter the names of any users you want to exclude from the rule. A maximum of 100 users can be excluded from a rule.
- Click Save.
Note: If a rule-managed user is manually removed from a group, the user is automatically added to the rule's Except The following users field.
After a rule is created and saved, it is inactive by default. Once activated, it is applied to your entire org. The new rule then runs on a particular user as its profile is updated via import, direct updating, or other changes.
To successfully move users to their assigned groups, the user cannot be in a Pending or Inactive state.