Defining Groups and Selecting UID Masks

A group is defined via SailPoint. After the group is defined, you can use the IdentityIQ to view all users connected to the group definition (that is, users that match any of the group’s UID masks). These users are implicitly connected to the group without the execution of a connect operation.

Each group may represent a single user attribute reflected in the user’s UID string (Division, Department, Business Role, Application). By connecting a user to a group, the LID record attribute is set.

The attribute associated with a group may contain several UID components (for example, Department and Business Function). The decision to create a single group with multiple attributes or multiple groups with a single attribute depends on site requirements.

Example 1

UID structure is: DEPT, ROLE, LID

You can define a group for each ROLE or DEPT value or for every combination of values for these attributes.

UID string for user JOHN is FINMGRJOHN (DEPT=FIN; ROLE=MGR)
UID string for user FRED is PAYACCFRED (DEPT=PAY; ROLE=ACC)

If each user must have both DEPT and ROLE (and no other situation is allowed), the following two groups may be defined:

Group	UID mask
Finance Managers	FINMGR********
Payroll Accountants	PAYACC********

JOHN is considered connected to group "Finance Manager" and FRED is considered connected to group "Payroll Accountant."

Example 2

Using the same UID structure as in the previous example, every user may be assigned either DEPT or ROLE, or both.

UID string for JOHN is: FIN...JOHN (DEPT=FIN; ROLE= space)
UID string for FRED is: ...ACCFRED (DEPT= space; ROLE=ACC)
UID string for GREG is: FINACCGREG (DEPT=FIN; ROLE=ACC)

Accordingly, the following groups are created:

Group	UID mask
Finance Department	FIN***********
Managers	*MGR******
Payroll Department	PAY***********
Accountants	*ACC******

Users FRED, JOHN and GREG are connected to the groups as follows:

JOHN is connected to group FINANCE Department.
FRED is connected to group Accountants.
GREG is connected to both Finance Department and Accountants.

SailPoint Connector for ACF2 does not allow the definition of two groups which overlap. In a case where two groups overlap, a user connected to one group is automatically connected to the other group.

Example 3

The UID structure is: DEPT, ROLE, LID

The UID string for user JOHN is: FIN...JOHN

Two groups are defined:

Group	UID mask
Finance Department	FIN***********
Finance Manager	FINMGR********

JOHN is currently associated with group Finance Department.

If JOHN is connected to the Finance Manager group, his UID string becomes: FINMGRJOHN

Note
Any attempt to disconnect either group from JOHN disconnects the other group as well. If JOHN is associated with these two groups via IT Roles, one of the IT Roles is invalidated via the disconnect operation of another IT Role.

To avoid these issues, define two separate groups for the Department and Role and allocate them selectively.

Example 4

Some users may have several roles under a given department. In this case, a multi-valued field can be used to assign multiple roles to a single user.

The UID structure is: DEPT, ROLE, LID, where ROLE is a multi-valued field.

The UID string views for user JOHN are:

APPDVLJOHN (DEPT=APP; ROLE=DVL)
APPDBAJOHN (DEPT=APP; ROLE=DBA)

User JOHN, who is a developer in the Applications department, is also the database administrator (DBA) for that department.

The following groups are defined:

Group	UID mask
Developers	*DVL******
Database Administrators	*DBA******

JOHN is considered connected to both groups.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Defining Groups and Selecting UID Masks

Documentation Feedback