Create group rules

You can create a group rule to assign a user to groups or exclude them from a group. You can use basic conditions or the Okta Expression Language to create rules.

If you're evaluating attributes from Workday, Active Directory, or other sources, you first need to map them to Okta user profile attributes.

Create a group rule

  1. In the Admin Console, go to Directory Groups.
  2. Select the Rules tab, and then click Add Rule.
  3. Enter a name for the rule.
  4. For the IF condition, select one of these options:
    • Use basic condition: Select options from the dropdown lists to create a rule using string attributes only. Use this method to create simple rules. For example, rules that you create from a single attribute or from one or more groups only.
    • Use Okta Expression Language (advanced): Select this option to create complex rules with custom expressions.
    • You can create rules using the following:
      • One or more attributes
      • One or more groups
      • Combinations of attributes and groups
    • See About Okta Expression Language.
  1. In Then Assign to, enter a single group or multiple groups to which the user should be assigned if the rule condition is met.
  2. IMPORTANT: You can assign a user to a maximum 100 groups.
  3. In Except The following users, enter the names of any users you want to exclude from the rule.

    4. IMPORTANT:

    • You can exclude a maximum 100 users from a rule.
    • If you manually remove a rule-managed user from a group, that user automatically gets added to Except The following users for that rule.

  4. Click Save.

After you create and save a rule, it’s inactive by default. Once you activate it, the rule is applied to your entire org. The new rule then runs on a user as their profile gets updated through import, direct updating, or other changes. The rule doesn't move users in a Pending or Inactive state. If you make an error while creating a group rule, the group rule is considered invalid and can't be in an Active state.

About Okta Expression Language

You can use Okta Expression Language to add a custom expression to a group rule. Custom expressions allow you to refine your conditions by referencing one or more attributes. See Okta Expression Language.

Constraints

Group rule conditions have the following constraints:

  • Expressions must use Okta Expression Language.
  • Expressions must have a valid syntax and use logical operators.
  • Expressions must evaluate to Boolean.
  • Expressions can't contain an assignment = operator.
  • User attributes used in expressions can only refer to available Okta user attributes.
  • Only group and user attributes are supported.
  • Application attributes aren’t supported.

Supported functions

The Okta Expression Language supports most functions, such as the following:

  • Boolean operators: AND, OR, ! (NOT)
  • Arithmetic operators: <, >, <=, >=
  • Equality checks: ==

Examples of valid condition expressions

Assume that the user has the following attributes with these types:

  • firstName (String)
  • lastName (String)
  • city (String)
  • salary (Integer)
  • isContractor (Boolean)

    • If (implicit)

    Condition Expression

    Assign to Group (or any action)

    IfString.stringContains(user.firstName, "dummy")dummyUsers
    Ifuser.city == "San Francisco"sfo
    Ifuser.salary > 1000000expensiveEmployee
    If! user.isContractorfullTimeEmployees
    Ifuser.salary > 1000000 AND !user.isContractorexpensiveFullTimeEmployee