Users and groups

Edit online

Verify Identity Access maintains information about its users and groups in the user registry.

If you have a user registry that maintains users and groups for another application, you can import this user registry information into Verify Identity Access. If a required user or group was not in the user registry before it was imported into Verify Identity Access or a new user or group needs to be added to the Verify Identity Access user registry, you can create it using Verify Identity Access.

Basic users, or users in the registry that are not imported to the Verify Identity Access, are supported. For more information, see Configuring the runtime to authenticate basic users.

Verify Identity Access supports two types of group definitions. The most common type of group maintains the group membership as an explicit list of members (users). This type of group is sometimes called a static group, because the membership is listed and maintained.

For Active Directory and LDAP registry users, Verify Identity Access also supports the use of dynamic groups. Dynamic groups are groups whose members are automatically resolved when the group is accessed. This resolution is based on the results of a defined search filter. For example, you create a dynamic group for members of department XYZ. If you import a new user whose data matches an entry in the search filter, the user is automatically added to the group. If an existing employee switches departments, the user is automatically removed from the group. Manual intervention is not required.

The creation and management of a dynamic group can be complex and is specific to the vendor implementation. It requires a search-like filter to be specified and used for group membership resolution. Because of these variables, dynamic groups cannot be created or maintained with Verify Identity Access utilities or user interfaces. The vendor-specific tools must be used to create and maintain dynamic groups. Verify Identity Access, however, can import and use these dynamic groups after they are created.

Verify Identity Access supports different types of users. When a domain is created, a special user known as the domain administrator is created. For the management domain, the domain administrator is sec_master. The sec_master user and associated password are created during the configuration of the Verify Identity Access policy server. For other domains, the user ID and password of the domain administrator are established when the domain is created. The domain administrator has nearly complete control of the domain. Think of the domain administrator as the Verify Identity Access equivalent to the Linux™ or UNIX™ root account or the Microsoft™ Windows™ Administrator user.

The domain administrator is added as a member of the Verify Identity Access iv-admin group within the domain. The iv-admin group represents those users with domain administration privileges. When adding users to the iv-admin group, ensure that you do not compromise the security of your domain.