Managing groups

A group is a logical collection of users who can perform the same activities or who have the same authority to access resources. Use groups to manage and control application access for multiple users. When you create an application instance, you can assign which groups are entitled to access the application.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console.

About this task

Verify has an admin group by default, where its members can perform Verify administrative tasks, such as:
  • Creating, editing, and deleting users and groups.
  • Configuring single sign-on for applications.

Verify provides the following reserved groups. A reserved group cannot be modified or deleted. Only the membership can be changed.

Verify also includes an application owners group for users who are assigned as application owners. Members of this group can access Entitlements. If they own applications, they can assign the users or groups that can access their applications.

Verify also includes a helpdesk group. Members in this group can select Switch to admin to access the administration console. They can view information about applications, governance operations, users and groups, reports, security, and configuration. They can reset passwords, update user information, manage user multi-factor authentication settings, delete linked identities, and run reports.

Verify also includes a readonly group. Members in this group can select Switch to admin to access the administration console. They can view information about applications, governance operations, users and groups, reports and configuration. They cannot modify any information. However, they can run reports.

Verify also includes a developer group. If the IBM Security Verify Developer Portal application is installed, members in this group are entitled to access the Developer Portal where they can use the Verify APIs to develop new applications.

Verify also includes a privacy officer group for users who are assigned as privacy officers. Members in this group can select Switch to admin to access the administration console. They can create purposes, End User License Agreements (EULAs), and privacy policies. They can also view consent activity reports and read entitlements.

You can create additional, customized groups based on the users' department, role, or other characteristics. Users can belong to one, or more groups. However, it is not mandatory for a user to belong to a group.

A group profile must exist before you can add users as members to it.

To entitle groups from your SAML enterprise identity source, you must create shadow groups in the cloud directory and use the same names as the groups in your SAML enterprise identity source. The shadow groups need not be populated with any members. The shadow group serves as a placeholder that represents the SAML enterprise group.

Procedure

  1. Select Directory > Users & groups.
  2. Select the Groups tab.
  3. Create a group.
    1. Select Add. The Add Group dialog box is displayed.
    2. Specify the following information for the new group:
      Table 1. Group information
      Information Descriptions
      Name Name of the group to which users are assigned as members.
      Note:
      • Group name must be unique.
      • You can edit this information except for reserved groups, which are reserved system groups.
      Description Short information about the group. For example, characteristics or purpose of the group.
      Group Members List of users who are assigned to the group as members. To assign group members, see Assigning group membership.
    3. Optional: Select whether to send an email notification to the user about the change to their group membership information.
    4. Select Save.
  4. Update a group.
    1. Hover over the group and select the Edit icon when it appears.
      The Edit Group dialog box is displayed.
    2. Edit the group information.
      Note: You cannot edit the group information for reserved groups. However you can add and remove members from those groups.

      To add or remove group members, see Assigning group membership.

    3. Optional: Select whether to send an email notification to the user about the change to their group membership information.
    4. Select Save.
  5. Delete a group.
    Note: You cannot delete a reserved group.
    When you delete a group:
    • You can delete one or multiple groups except for reserved system groups.
    • Users are removed from the group.
    • The group can no longer use Verify to access a third-party application.
    • You can either use Delete in the Groups page or in the Edit Group dialog box.
    1. Choose from one of the following options in the Groups page:
      • Select a group, hover over it and select the Edit icon when it appears. The Edit Group dialog box is displayed.
      • Select one or more groups.
    2. Select Delete.
    3. Optional: Select whether to send an email notification to the user about the change to their group membership information.
    4. Confirm that you want to permanently delete the selected group or groups.
  6. Search and view the group information.
    1. Use the Search field for a filtered list of data.
    2. Select the group whose information you want to view. The Group Details is displayed.
      Table 2. Group information
      Information Descriptions
      Name Name of the group to which users are assigned as members.
      Date Created Date when the group was created.
      Date Modified Date when the group information was last updated.