Using Okta Groups to assign user attributes in Omni

Administration
1

This article assumes you have already followed our docs to successfully configure the Omni App in Okta, enabled SCIM to push groups and user attributes from Okta to Omni successfully, and have the appropriate attributes already created both in Okta & Omni.

In this example, let’s say you have an attribute in Omni called can_see_piiwith a default value of “false” but for certain Okta groups (Analytics Team for example) you want the value to be “true” and whenever someone in your company is added to the Analytics Team group in Okta you’d like that to flow through to allow them to see pii in Omni.

Okta users do not inherit attribute values from the groups they are members of by default, and Omni does not assign Users Attribute values based on group membership. So, we must do some work in Okta to assign user attribute values in Okta to be synced via SCIM to Omni User Attributes.

Steps

  1. Navigate to the Omni Application in Okta: Find the Omni Application you’ve configured in your Okta admin console where you want to apply the mapping.

  2. Go to the Provisioning Tab: Select the “Provisioning” tab for that application.

  3. Find the Attribute Mappings: Click on “To App” and scroll down to find the attribute mappings from Okta to the application.

  4. Create a New Mapping Rule: Find the can_see_pii attribute you want to populate with a value based on their group membership and click into the left side text box of the attribute.

  5. Enter the mapping in Okta Expression Language (EOL): The expression will use Okta Expression Language to access the group attributes. This is the basic format for a single group membership and it’s value isMemberOfGroupName("group name") ? "value to map" : "default value" In this case it would look like this isMemberOfGroupName("Analytics Team") ? "true" : "false"Then save.

If the syntax is wrong or the group name doesn’t quite match, Okta will surface an error.You should see the changes take effect in Omni within a few minutes.

If you want to assign a value based on membership to any of a number of groups you can do so like this using the Okta Group ID (found in the url when editing a Group) rather than the Group Name.

isMemberOfAnyGroup("Group A", "Group B", "Group C") ? "Assigned Value" : "Default Value”

Group IDs looks something like this 00gabcdefgh12345678