Create group rules
You can create a group rule to assign a user to groups or exclude them from a group. You can use basic conditions or the Okta Expression Language to create rules.
If you're evaluating attributes from Workday, Active Directory, or other sources, you first need to map them to Okta user profile attributes.
Create a group rule
- In the Admin Console, go to .
- Select the Rules tab, and then click Add Rule.
- Enter a name for the rule.
- For the IF condition, select one of these options:
- Use basic condition: Select options from the dropdown lists to create a rule using string attributes only. Use this method to create simple rules. For example, rules that you create using a single attribute or from one or more groups.
- Use Okta Expression Language (advanced): Select this option to create complex rules with custom expressions.
- You can create rules using the following:
- One or more attributes
- One or more groups
- Combinations of attributes and groups
- See About Okta Expression Language.
- In Then Assign to, enter a single group or multiple groups to which the user should be assigned if the rule condition is met.
You can assign a user to a maximum of 100 groups.
- In Except The following users, enter the names of any users that you want to exclude from the rule.
You can exclude a maximum of 100 users from a rule.
If you manually remove a rule-managed user from a group, that user is automatically added to the Except The following users list for that rule.
- Click Save.
After you create and save a rule, it's Inactive by default. After you activate it, the rule is applied to your entire org. The new rule then runs on a user as their profile gets updated through import, direct updating, or other changes. The rule doesn't move users who are in the Pending or Inactive states. If you make an error while creating a group rule, the group rule is considered invalid and can't be in an Active state.
About Okta Expression Language
You can use Okta Expression Language to add a custom expression to a group rule. Custom expressions allow you to refine your conditions by referencing one or more attributes. See Okta Expression Language.
Constraints
Group rule conditions have the following constraints:
- Expressions must use the Okta Expression Language (OEL).
- Expressions must have a valid syntax and use logical operators.
- Expressions must evaluate to Boolean.
- Expressions can't contain an assignment = operator.
- User attributes used in expressions can only refer to available Okta user attributes.
- Only group and user attributes are supported.
- Application attributes aren't supported.
Supported functions
The Okta Expression Language supports most functions, such as the following:
- Boolean operators: AND, OR, ! (NOT)
- Arithmetic operators: <, >, <=, >=
- Equality checks: ==
Examples of valid condition expressions
Assume that the user has the following attributes with these types:
- firstName (string)
- lastName (string)
- city (string)
- salary (integer)
- isContractor (Boolean)
The following table provides some example expressions using OEL. When an expression evaluates to true for a user, then the specified assignment is performed.
|
If (implicit) |
Condition Expression |
Assign to Group (or any action) |
|---|---|---|
| If | String.stringContains(user.department, "Sales") | Sales |
| If | user.city == "San Francisco" | SFOffice |
| If | user.salary > 1000000 | expensiveEmployee |
| If | ! user.isContractor | fullTimeEmployees |
| If | user.salary > 1000000 AND !user.isContractor | expensiveFullTimeEmployee |