Group rules

Group rules simplify group administration and help you manage application access, application roles, and security policies.

Groups are commonly used for Okta Single Sign-On (SSO) access and to provision users to apps with specific entitlements. When you use rules to populate groups based on attributes, you achieve Attribute-Based Access Control. You can create rules using single or multiple attributes, single or multiple groups, or combinations of attributes and groups.

Use group rules to:

  • Map multiple Active Directory (AD) groups to a single Okta group. You can also use rules to map Okta groups to AD groups.

  • Populate AD groups based on user attributes. Rules are particularly useful in "Workday (WD) as a source" setups for which Okta provisions users and groups to AD. For example, use the cost center attribute from WD to determine AD group memberships.

  • Simplify the management of groups. Instead of manually adding users to a group, you can define a rule that automatically adds users with the required attribute. For example, a user with the department profile attribute value of "sales" is automatically added to the Sales group. When a user's department attribute changes, the user is removed from the Sales group automatically.

  • Automate provisioning. Instead of manually provisioning users to an app, you can define a rule that automatically provisions users with the required attribute. For example, if user profile attribute == X, then provision app Y with role Z.

Keep the following restrictions in mind:

  • Orgs can have a maximum of 2000 rules.
  • Group rules can't be used to assign users to admin groups.
  • You can only use string attributes in basic condition group rules.
  • A group that is already the target of a group rule can't be granted admin privileges.
  • Only super admins and org admins can edit rules.
  • Only group admins who manage all groups can search for and view rules. Individual group admins can't search for or view rules.