You can create groups, add members to groups, and create group rules in the Workspace ONE Access service.

instead of entitling each user individually, use groups to entitle more than one user to the same resources at the same time. Users can belong to multiple groups. For example, if you create a Sales group and a Management group, a sales manager can belong to both groups.

You can specify group rules to apply to the members of a group. Users in groups are defined by the rules you set for a user attribute. If a user's attribute value changes from the defined group rule value, the user is removed from the group.

Procedure

  1. In the Workspace ONE Access console, Accounts > User Groupspage, click Add Group.
  2. In the Group Information section, add a group name and a description of the group
  3. In the Group Users section, add users or exclude users.
    1. To add users, enter a few letters of the user name in the Add Users line.
    2. To exclude users, enter a few letters of the user name in the Exclude Users line.
    Names that match your text are displayed.
  4. In the Group Rules section, select how group membership is granted. Configure one or more rules for your group. You can nest rules.
    Option Description
    Attribute

    Select one of these attributes from the first column drop-down menu. Select Group to add an existing group to the group you are creating. You can add other types of attributes to manage which users in the groups are members of the group you create.

    Attribute Rules

    The following rules are available depending on the attribute you selected.

    • Select is to select a group or directory to associate with this group. Enter a name in the text box. As you type, a list of the available groups or directories appears.
    • Select is not to select a group or directory to exclude. Enter a name in the text box. As you type, a list of the available groups or directories appears.
    • Select matches to grant group membership to entries that exactly match the criteria you enter. For example, your organization might have a business travel department that shares a central phone number. If you want to grant access to a travel booking application for all employees who share that phone number, you create a rule such as Phone matches (555) 555-1000.
    • Select does not match to grant group membership to all directory server entries except those that match the criteria you enter. For example, if one of your departments shares a central phone number, you can exclude that department from access to a social networking application by creating a rule such as Phone does not match (555) 555-2000. Directory server entries with other phone numbers have access to the application.
    • Select starts with to grant group membership for directory server entries that start with the criteria you enter. For example, the organization's email addresses might begin with the departmental name, such as sales_username@example.com. If you want to grant access to an application to everyone n your sales staff, you can create a rule, such as email starts with sales_.
    • Select does not start with to grant group membership to all directory server entries except those that begin with the criteria you enter. For example, if the email addresses of your human resources department are in the format hr_username@example.com, you can deny access to an application by setting up a rule, such as email does not start with hr_. Directory server entries with other email addresses have access to the application.
  5. Click SAVE.

What to do next

Add the resources that the group is entitled to use.