User groups

As a best practice, organizations commonly group their employees based on certain criteria.

Depending on the requirements of the organization, these criteria might include the department employees work in, the clients they are assigned to, the job functions they perform, or the job level they have attained. By making these logical classifications, organizations can manage their employees more easily and efficiently.

This same principle can be applied within InfoSphere® MDM. As a best practice, an organization can arrange their InfoSphere MDM users into user groups. A user group in InfoSphere MDM is a collection of users who perform similar tasks and who require common permissions and data to carry out those tasks. User groups are useful because they facilitate the management of user permissions on data and transactions.

Note: You should not confuse user groups with data groups. User groups are collections of related users, while data groups are typically InfoSphere MDM business objects.

After you determine the criteria that you want to use for assembling user groups, you can create them using the Administration application. Although you can create and name a new user group, you cannot add individual users to the group, or remove them from the group, from within the Administration application. To manage individual users, you must execute your requests through administration transactions such as addUserGroupProfile. For more information, see the transaction reference documentation.

When you create a user group, you are building a container where users who have certain criteria in common can be assembled. New user groups are added to the User Group Profile database table. Once you create a user group, you cannot delete it in the Administration application.

Once user groups exist in the system, you can associate them with transactions. Depending on your organization's security configuration, users might only be able to execute transactions if they are explicitly granted the appropriate permissions to do so. Therefore, if you want a user group to have the ability to execute a specific transaction, you must associate the user group with that transaction. Associations you create are stored in user and user group database tables that specify the allowed transactions. You can also edit the description of user groups that already exist in the system. The user group description is a concise, meaningful comment that gives additional information about the user group.

When a user performs a task in InfoSphere MDM that requires the execution of a transaction, the required transaction is automatically generated and sent to the InfoSphere MDM back-end system. The transaction identifies the requester by including his or her user group ID in the <userRole> element of the transaction header. The security service verifies if the requester has permission to execute the transaction by matching the user group ID found in the <userRole> element against all associated user groups found in the appropriate user group database table.

Note: Transactions that users generate from the front-end user interface contain only user IDs and consequently are only validated against the user database table. User-specific associations must be added manually to the database table.

For more information about the database tables affected by these operations, see Setting and Administering the Security Service in the developer topics.

You can also associate a user group with a Rule of Visibility so that members of the user group can be granted access to the data specified in the rule. For more information, see Associated Rules of Visibility and user groups.