As a best practice, organizations commonly group their employees based on certain criteria.
Depending on the requirements of the organization, these criteria might include the department employees work in, the clients they are assigned to, the job functions they perform, or the job level they have attained. By making these logical classifications, organizations can manage their employees more easily and efficiently.
After you determine the criteria that you want to use for assembling user groups, you can create them using the Administration application. Although you can create and name a new user group, you cannot add individual users to the group, or remove them from the group, from within the Administration application. To manage individual users, you must execute your requests through administration transactions such as addUserGroupProfile. For more information, see the transaction reference documentation.
When you create a user group, you are building a container where users who have certain criteria in common can be assembled. New user groups are added to the User Group Profile database table. Once you create a user group, you cannot delete it in the Administration application.
Once user groups exist in the system, you can associate them with transactions. Depending on your organization's security configuration, users might only be able to execute transactions if they are explicitly granted the appropriate permissions to do so. Therefore, if you want a user group to have the ability to execute a specific transaction, you must associate the user group with that transaction. Associations you create are stored in user and user group database tables that specify the allowed transactions. You can also edit the description of user groups that already exist in the system. The user group description is a concise, meaningful comment that gives additional information about the user group.
When a user performs a task in InfoSphere MDM that
requires the execution of a transaction, the required transaction
is automatically generated and sent to the InfoSphere MDM back-end
system. The transaction identifies the requester by including his
or her user group ID in the
of the transaction header. The security service verifies if the requester
has permission to execute the transaction by matching the user group
ID found in the
<userRole> element against all
associated user groups found in the appropriate user group database
For more information about the database tables affected by these operations, see Setting and Administering the Security Service in the developer topics.
You can also associate a user group with a Rule of Visibility so that members of the user group can be granted access to the data specified in the rule. For more information, see Associated Rules of Visibility and user groups.