Contents
|
Groups
A group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels; within an organization and within other managed groups. Groups that exist within other groups are called sub-groups. Sub-groups are child nodes that “physically” exist within a parent group.
Identity Server also supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub-groups, nested groups can exist anywhere in the DIT. They allow you to quickly set up access permissions for a large number of users.
When you create a group, you can create groups that use Membership By Subscription (static group) or Membership By Filter (filtered groups). This controls the way in which users are added to the group. Users can only be added to static groups. Dynamic groups control the addition of users through a filter. Nested or sub-groups, however, can be added to both.
This section contains the following topics:
To Create a Static Group
- Navigate to the organization, group or group container where the group will be created.
- Choose Groups from the View menu.
- Click New.
- Select Membership By Subscription for the group type from within the Data pane.
- Enter a name for the group in the Name field. Click Next.
- Select the Users Can Subscribe to this Group attribute to allow users to subscribe to the group themselves.
- If you have defined multiple group containers in your DIT and the Show Group Containers attribute (from the Administration Service) is not enabled, you can select the Parent Group Container to which the static group will belong. Otherwise, this field is not displayed.
- Click Finish.
Once the group is created, you can edit the Users Can Subscribe to this Group attribute by selecting General from the View menu in the Data pane.
To Add or Remove Members to a Static Group
- Click the Properties arrow next to the group to which you will add members.
- In the Data pane, select Members from the View menu.
Choose an action to perform in the Select Action menu. The actions you can perform are as follows:
New User. This action creates a new user and automatically adds the user to the group when the user information is saved.
Add User. This action adds an existing user to the group. When you select this action, you create a search criteria which will specify users you wish to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank, it will match all possible entries for that particular attribute. From the returned list of users, select the users you wish to add and click OK.
Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. From the returned list of groups, select the group you wish to add and click OK.
Remove Members. This action will remove members from the group, but will not delete them. Select the member you wish to remove and click OK.
Delete Members. This action will permanently delete the member you select.
To Create a Filtered Group
- Navigate to the organization (or group) where the group will be created.
- Choose Groups from the View menu.
- Click New.
- Enter a name for the group in the Name field. Click Next.
- Construct the LDAP search filter.
By default, Identity Server displays the Basic search filter interface. The Basic fields used to construct the filter use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank it will match all possible entries for that particular attribute.
Alternatively, you can select the Advanced button to define the filter attributes yourself. For example,
(&(uid=user1)(|(inetuserstatus=active)(!(inetuserstatus=*))))
When you click Finish, all users matching the search criteria are automatically added to the group.
To Add or Remove Members to a Filtered Group
- Click the Properties arrow next to the group to which you will add members.
- In the Data pane, select Members from the View menu.
Choose an action to perform in the Select Action menu. The actions you can perform are as follows:
Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. From the returned list of groups, select the group you wish to add and click OK.
Remove Members. This action will remove members from the group, but will not delete them. Select the member you wish to remove and click OK.
Delete Members. This action will permanently delete the member you select.
To Add a Group to a Policy
Identity Server objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object.
Contents |