Using Okta Expression Language to create group rules
Study Notes: Creating Group Rules Using the Okta Expression Language (OEL)
1. What Is the Okta Expression Language (OEL)?
The Okta Expression Language is a scripting language used inside Okta to reference, transform, and combine user attributes.
It allows admins to create dynamic, logic-based rules beyond standard GUI-based options.
What OEL Can Do
Transform user attributes
Perform conditional logic
Create dynamic group rules
Build more advanced authentication and provisioning policies
Manipulate strings, dates, and profile values
Common Use Cases
Remove a domain from an email to create a username
Combine
firstName+lastNameintodisplayNameRequire device management in authentication policies
Build advanced attribute mappings for provisioning
2. Why Use OEL for Group Rules?
Standard rules only evaluate:
User profile attribute values, or
Existing group membership
But some scenarios require more advanced logic.
OEL enables rules that respond to complex, multi-attribute, or time-based conditions.
3. When Standard Group Rules Aren’t Enough
A. Dynamic Date-Based Rules
Scenario:
Assign new hires to different onboarding groups at:
30 days
60 days
90 days
Solution:
Use OEL to calculate days since hire:
Compare today's date to hire date
Automatically place users in phased-access groups
B. Complex Attribute Combinations
Scenario:
Employees must meet multiple criteria (ex: department + geographical location) to get access to certain resources.
Solution:
Combine multiple conditions with OEL:
user.department == "Sales" && user.city == "New York"
C. String Manipulation
Scenario:
Need to assign users to country-specific groups based on phone number country code.
Solution:
OEL string functions can:
Extract country code
Match it to a region
Automatically assign users to proper country groups
Example functions:
String.startsWith()String.stringContains()String.substring()
D. Efficient User Management
OEL rules update group membership in real time based on attribute changes.
Benefits:
Less manual work
Automated lifecycle transitions
Accurate access control
Reduced errors
E. Reduce Total Number of Rules
Instead of maintaining multiple simple rules, OEL allows you to:
Consolidate them into one advanced, logical rule
Improve performance
Reduce conflicts
Simplify troubleshooting and auditing
F. More Powerful, Custom Logic
OEL rules can:
Combine attributes
Perform calculations
Use nested conditions
Manipulate text
Produce dynamic values
This makes your Okta org more flexible and tailored to business needs.
4. Syntax Basics of OEL
A. Referencing Attributes
user.department
user.countryCode
user.hireDate
B. Comparison Operators
Used to evaluate conditions:
== equals
!= not equals
> greater than
< less than
>= greater or equal
<= less or equal
C. Logical Operators
Used to combine multiple conditions:
&& AND
|| OR
! NOT
D. Functions
Offer advanced functionality:
Examples:
String.startsWith(user.email, "sales")String.stringContains(user.phoneNumber, "+1")String.replace()Date functions to calculate time since hire
5. Example Rule: Sales + Full-Time + NYC Access
Scenario:
Only full-time sales employees located in New York should get CRM access.
OEL Condition Example:
user.employeeType == "Full-Time"
&& user.department == "Sales"
&& user.city == "New York"
This ensures only the correct users enter the CRM group.
6. Summary of This Section
The Okta Expression Language:
Enhances group rule capabilities
Enables dynamic, attribute-based access
Supports string manipulation, time calculations, and multi-attribute logic
Improves onboarding, access control, and lifecycle management
Reduces the number of rules needed
Enables more nuanced and advanced IAM automation
Mastering OEL empowers administrators to create powerful, customized identity workflows tailored to real business needs.