You can create groups, add members to groups, and create group rules. You then can populate the groups based on rules you define.
Use groups to entitle more than one user to the same resources at the same time, instead of entitling each user individually. A user can belong to multiple groups. For example, if you create a Sales group and a Management group, a sales manager can belong to both groups.
You can specify which policy settings apply to the members of a group. Users in groups are defined by the rules you set for a user attribute. If a user's attribute value changes from the defined group rule value, the user is removed from the group.
Procedure
- In the VMware Identity Manager console, Users & Groups tab, click Groups.
- Click Add Group.
- Enter a group name and description of the group. Click Next.
- Add users to the group. To add users to the group, enter a few letters of the user name. As you enter text, names that match are displayed.
- Select the user name and click +Add user.
Continue to add members to the group.
- After the users are added to the group, click Next.
- In the Group Rules page, select how group membership is granted. In the drop-down menu, select either any or all.
Option |
Action |
Any |
Grants group membership when any of the conditions for group membership are met. This action works like an OR condition. For example, if you select Any for the rules Group Is Sales and Group Is Marketing, sales and marketing staff are granted membership to this group. |
All |
Grants group membership when all the conditions for group membership are met. Using All works like an AND condition. For example, if you select All of the following for the rules Group Is Sales and Email Starts With 'western_region', only sales staff in the western region are granted membership to this group. Sales staff in other regions is not granted membership. |
- Configure one or more rules for your group. You can nest rules.
Option |
Description |
Attribute |
Select one of these attributes from the first column drop-down menu. Select Group to add an existing group to the group you are creating. You can add other types of attributes to manage which users in the groups are members of the group you create. |
Attribute Rules |
The following rules are available depending on the attribute you selected.
- Select is to select a group or directory to associate with this group. Enter a name in the text box. As you type, a list of the available groups or directories appears.
- Select is not to select a group or directory to exclude. Enter a name in the text box. As you type, a list of the available groups or directories appears.
- Select matches to grant group membership to entries that exactly match the criteria you enter. For example, your organization might have a business travel department that shares a central phone number. If you want to grant access to a travel booking application for all employees who share that phone number, you create a rule such as Phone matches (555) 555-1000.
- Select does not match to grant group membership to all directory server entries except those that match the criteria you enter. For example, if one of your departments shares a central phone number, you can exclude that department from access to a social networking application by creating a rule such as Phone does not match (555) 555-2000. Directory server entries with other phone numbers have access to the application.
- Select starts with to grant group membership for directory server entries that start with the criteria you enter. For example, the organization's email addresses might begin with the departmental name, such as [email protected]. If you want to grant access to an application to everyone n your sales staff, you can create a rule, such as email starts with sales_.
- Select does not start with to grant group membership to all directory server entries except those that begin with the criteria you enter. For example, if the email addresses of your human resources department are in the format [email protected], you can deny access to an application by setting up a rule, such as email does not start with hr_. Directory server entries with other email addresses have access to the application.
|
Using Attribute Any or All |
(Optional) To include the attributes Any or All as part of the group rule, add this rule last.
- Select Anyfor group membership to be granted when any of the conditions for group membership are met for this rule. Using Any is a way to nest rules. For example, you can create a rule that says All of the following: Group is Sales; Group is California. For Group is California, Any of the following: Phone starts with 415; Phone starts with 510. The group member must belong to your California sales staff and have a phone number that starts with either 415 or 510.
- Select All for all the conditions to be met for this rule. This is a way to nest rules. For example, you can create a rule that says Any of the following: Group Is Managers; Group is Customer Service. For Group is Customer Service, all the following: Email starts with cs_; Phone starts with 555. The group members can be either managers or customer service representatives, but customer service representatives must have an email that starts with cs and a phone number that starts with 555.
|
- (Optional) To exclude specific users, enter a user name in the text box and click Exclude user.
- Click Next and review the group information. Click Create Group.
What to do next
Add the resources that the group is entitled to use.