You can create groups, add members to groups, and create group rules in the Workspace ONE Access service.
Instead of entitling each user individually, use groups to entitle more than one user to the same resources at the same time. Users can belong to multiple groups. For example, if you create a Sales group and a Management group, a sales manager can belong to both groups.
You can specify group rules to apply to the members of a group. Users in groups are defined by the rules you set for a user attribute. If a user's attribute value changes from the defined group rule value, the user is removed from the group.
- In the Workspace ONE Access console, page, click Add Group.
- In the Group Information section, add a group name and a description of the group
- In the Group Users section, add users or exclude users.
Names that match your text are displayed.
- To add users, enter a few letters of the user name in the Add Users line.
- To exclude users, enter a few letters of the user name in the Exclude Users line.
- In the Group Rules section, select how group membership is granted. Configure one or more rules for your group. You can nest rules.
- In the Group Rules section, click Search and select an attribute from the drop-down menu.
- In the Search for value section, select the match conditions for the attribute value.
The following match conditions are available depending on the attribute you selected.
- Select is to select a group or directory to associate with this group. Enter a name in the text box. As you type, a list of the available groups or directories appears.
- Select is not to select a group or directory to exclude. Enter a name in the text box. As you type, a list of the available groups or directories appears.
- Select matches to grant group membership to entries that exactly match the criteria you enter. For example, your organization might have a business travel department that shares a central phone number. If you want to grant access to a travel booking application for all employees who share that phone number, you create a rule such as Phone matches (555) 555-1000.
- Select does not match to grant group membership to all directory server entries except those that match the criteria you enter. For example, if one of your departments shares a central phone number, you can exclude that department from access to a social networking application by creating a rule such as Phone does not match (555) 555-2000. Directory server entries with other phone numbers have access to the application.
- Select starts with to grant group membership for directory server entries that start with the criteria you enter. For example, the organization's email addresses might begin with the departmental name, such as firstname.lastname@example.org. If you want to grant access to an application to everyone n your sales staff, you can create a rule, such as email starts with sales_.
- Select does not start with to grant group membership to all directory server entries except those that begin with the criteria you enter. For example, if the email addresses of your human resources department are in the format email@example.com, you can deny access to an application by setting up a rule, such as email does not start with hr_. Directory server entries with other email addresses have access to the application.
- In the last section, define the value to match in the rule.
- To additional rules, click the plus sign + and select if it is an AND or OR operator.
- Click SAVE.
What to do next
Select the group from the User Groups list and in the Applications tab, add the applications that the group is entitled to use.