Skip to content

3.3.0

Release Date: April 1, 2026

✨ New Features

Okta Business Roles — CompoundRoles Support for AND-Based Group Membership

Module: modules/okta-business-roles

External Business Roles now support a CompoundRoles field that allows requiring simultaneous membership in multiple Okta groups (AND logic). Previously, the Roles list only supported OR logic — a user needed to be in any of the listed groups to qualify. There was no way to express "user must be in Group A and Group B" without managing a composite group out-of-band.

How it works:

  • Entries within a single CompoundRoles item are AND'd together
  • Multiple CompoundRoles entries and flat Roles entries are OR'd together

Example:

BusinessRoles:
  - Name: "NGP Policy Payroll Manager"
    Description: "Users who are both an NGP User AND a Policy Payroll Manager"
    Roles: []
    CompoundRoles:
      - Roles:
          - NGP User
          - Policy Payroll Manager
    ManualUsers: []

Produces the Okta expression: 

(isMemberOfGroupName("NGP User") AND isMemberOfGroupName("Policy Payroll Manager"))

Mixed Roles + CompoundRoles:

BusinessRoles:
  - Name: "Senior Claims Admin"
    Roles:
      - Super Admin
    CompoundRoles:
      - Roles:
          - Claims User
          - Admin User
    ManualUsers: []

Produces: 

isMemberOfGroupName("Super Admin") OR (isMemberOfGroupName("Claims User") AND isMemberOfGroupName("Admin User"))

Key details:

Aspect Detail
Field CompoundRoles on BusinessRolesExternal entries
Type optional(list(object({ Roles = list(string) }))) — defaults to []
Backward compatible ✅ Existing configs with no CompoundRoles field are unaffected
Validation Plan-time error if any CompoundRoles entry has an empty Roles list
Terraform version Requires >= 1.4.0 (upgraded from >= 1.3.0)

PR: #7

🔧 Enhancements

  • AGENTS.md and README — Added repository setup documentation and CODEOWNERS configuration for improved contributor experience
  • Merge Gatekeeper — Added GitHub Actions workflow that waits for all Azure DevOps status checks before allowing PR merge, solving the required-checks-with-path-filters problem
  • Legacy module deprecation notices — Okta modules pending Entra ID migration are now explicitly marked as deprecated in their documentation

🔄 Breaking Changes

None in this release ✅

📋 Additional Notes

  • Total Commits: 7
  • Files Changed: 14
  • Contributors: Emmitt Johnson, Copilot

Support

  • 📧 Teams Support Channel: Support