Managing dynamic groups

Edit online

Dynamic groups are a type of group that automatically includes or excludes members based on predefined condition set. The membership is evaluated on the basis of user profile attributes, such as department, job title, or location that are defined as condition set.

Before you begin

Note: Dynamic group is a requestable feature, Beta CI-46644 (Dynamic attribute based access control). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. If you have permission to create a support ticket, create a support ticket with the feature number. Note that IBM® Verify trial subscriptions cannot create support tickets.
  • You must have administrative permission to complete this task.
  • Log in to the IBM Verify administration console as an Administrator.

About this task

You can perform the following tasks:

Create and manage dynamic group

Create dynamic group
Follow the provided steps to create a dynamic group:
  1. Log in as an administrator on IBM Verify. Navigate to the profile icon and click Switch to admin.
  2. Select Directory > Users & groups and then click Dynamic groups tab.
    Note: IBM Verify trial subscriptions can create a maximum of 5 dynamic groups, while paid tenants can create up to 100. To alter the limit on the number of flows, contact your IBM Sales representative or IBM contact.
  3. Click Create dynamic group. Enter the required details in the General setup step and define the dynamic group condition to evaluate the membership.
    Note: The feature currently doesn’t support CELx and Preferred username, Group IDs, Account expiration, and Linked accounts attributes.
  4. After the dynamic group is created, a record of the same gets listed in the Dynamic groups tab under Users & groups screen. The following are the different status that are displayed for a dynamic group during the process:
    • Waiting - The status is displayed immediately after the dynamic group is created and waiting for membership evaluation.
    • In progress - The status is displayed when the membership evaluation is in progress based on the provided condition set.
    • Draft - The status is displayed when the membership evaluation is complete. Click Review & publish to review the users that are added to the group based on the provided condition set and the completed evaluation. The dynamic group can then be published to activate it.
    • Active - The status is displayed when the dynamic group is published and can now be associated with required entitlement.
    • Failed - The status is displayed when the membership evaluation failed. You can either reevaluate or delete the dynamic group.
  5. After the dynamic group is active, the User details (Directory > Users & groups > Users > User details) also displays the active Dynamic groups in which the user is added.
Manage dynamic group
The Dynamic groups tab displays the records in a tabular format, providing Dynamic group name, Description, and Status details. The screen provides search, refresh, and pagination options. You can perform the following different operations from the records table:
  • Click the dynamic group record to open the side panel to view the details. Based on the dynamic group's Status, you can either Edit, View membership, Reevaluate or Delete the dynamic group from this panel.
    Note:
    • The Edit functionality is only applicable to dynamic groups that are in the Active state.
    • The dynamic groups with Draft or Failed status can only be reevaluated or deleted.
  • Similarly, you can click the menu icon to perform the same functions.

Edit dynamic group

You can edit or update any Active dynamic group. If the dynamic group's condition set is updated, the group membership is reevaluated. After modifying the dynamic group, the following are the different status that are displayed during the process:
Note: Until the changes made in the dynamic group are not published, the Active status of the group remains intact while the sub-status keeps on changing based on the progress of the membership reevaluation.
  • Active Waiting to update - The status is displayed immediately after the dynamic group is updated and waiting for membership reevaluation.
  • Active Updates in progress - The status is displayed when the membership reevaluation is in progress based on the updated condition set.
  • Active Review & publish changes - The status is displayed when the membership reevaluation is complete. Click Review & publish to review the users that are added and removed from the group based on the updated condition set and the completed reevaluation. The dynamic group can then be published to activate it. The side panel of the record can be opened to view the previous and the updated conditions, and also to discard the changes, if you don't want to publish the latest modifications.
  • Active Failed - The status is displayed when the membership reevaluation failed. From the side panel of the record you can either discard the changes or reevaluate the membership.