Managing user groups
You can create user groups to simplify the process of managing large groups of users.
User groups make it easier to manage a large number of users with similar access requirements. For example, if you know that 20 different users are going to collaborate on a project and they all need the same role, you can add them to a group that is assigned that role. If a member of the group leaves the company, you can remove the user from the group, rather than looking for all of the assets that the user has access to.
Before you begin
Required permissions
To manage groups, you must have one of the following permissions:
- Administer platform
- Manage groups
About this task
You can create and edit groups from the User groups tab of the Access control page.
Important:
-
From foundational services version 3.19 (Platform UI version 1.6.0), when creating a user group, you can either create assigned groups or dynamic groups (new option).
-
By default, an All users group is included. As the name suggests, all users are automatically included in this group. The group is used to give all platform users access to the console. You cannot edit or delete this group.
Procedure
You can create an user group with one of the following methods:
Creating an user group with the Assigned option
-
Log in to the console.
-
From the navigation menu, select Administration > Access control.
-
Open the User groups tab.
-
Click New user group.
-
Enter a name and, optionally, a description for the role.
-
Under Membership type, select Assigned.
Note: With assigned membership, you select the users that you want to add to the group.
-
Click Next.
-
Specify the users to include in the group. The available options depend on whether the environment is connected to use an identity provider for authentication, such as an LDAP server.
- Existing users - Find and add existing platform users.
- Identity provider users - Find and add a user from a connected identity provider, such as an LDAP server.
-
Identity provider groups - Find and add a user group from a connected identity provider, such as an LDAP server. If IM integration is enabled, choose this option.
After you find the user or group, select the user or group to add them to the new user group. Repeat this action to add more users or groups.
See the following notes:
- When searching for a user, you can search by the user's name, email, or username.
- If you have the Manage users permission and you do not see the user that you want to add to the group, first create the user. For more information, see Managing console access.
- If you add users from an LDAP group, the users might not immediately be added to the user group. If you do not see a user within the group, log in to the {{site.data. keyword.gui}} as that user. Upon login, the Platform UI detects that the user belongs to an LDAP group and creates the user profile. User profiles for LDAP group users are created only when the users log in to the console.
-
Click Next.
-
Select one or more roles that you want to assign to this group.
-
Click Next.
-
Review the summary. If the values are correct, click Create.
Creating an user group with the Dynamic option
-
Log in to the console.
-
From the navigation menu, select Administration > Access control.
-
Open the User groups tab.
-
Click New user group.
-
Enter a name for the user group. You can optionally include a description for the role.
-
Select Dynamic in the Membership type section.
Note: You can create attribute-based rules to determine which users are automatically added to the group with dynamic membership.
-
Click Next.
-
Define the rule in Membership rule to add the users automatically in the group based on the attributes that are assigned to the users on the identity provider.
-
Select one of the following conditions:
- Select All conditions (AND) to include the users with all the specified attribute, operator, and values.
- Select Any conditions (OR) to include the users with a minimum of one specified attribute, operator, and values.
-
Select the Attribute and Operator from the drop-down list and enter the value based on the identity provider for the defined conditions in the Value field.
- Attribute: Select Location, Nationality, Organization, or User type.
- Operator: Select Equal, Not equal, Match, or Not match.
- Value: Enter the value based on the identity provider for the defined conditions.
If you need to add more than one conditions, click Add conditions.
-
-
Click Next.
-
Select at least one role to assign to the new user group. For example, you can assign Administrator and/or User to the user group. Alternatively, you can create a new role and assign the new role you created.
-
Click Next.
-
Review the summary. If the values are correct, click Create.
Results
You can now use the group to give users access to various assets on the platform.