Skip to content

Managing Groups and Populations

Use the Group Configuration page to work with groups and populations within your enterprise. When these items are enabled, you can track and monitor activity by membership and risk information.

To access the Group Configuration page, select Setup > Groups from the navigation bar.

Note

Group management is an advanced process that requires the assignment of addition IdentityIQ capabilities before these pages are displayed.

The Group Configuration page includes the following tabs:

Group Tab

Groups are defined automatically by values assigned to identity attributes such as Department, Location, Manager and Organization, or are based on common entitlements within an application, not common qualities as defined within IdentityIQ.

Populations Tab

Populations are query-based groups created from the results of searches run from the Identity Search page. Searches that result in interesting populations of identities can be saved as populations for reuse. Because population membership is based entirely on identity search parameters, members do not have to share the same identity of account group membership.

Workgroups Tab

Workgroups enable the assignment of object ownership, certification, revocations and work items to pre-defined lists of identities. You can also assign capabilities and scope to these groups of identities so that you do not have to assign the same scopes and capabilities to each individual member of the group.

Group Examples

Groups Associated with Identity Attributes

Groups associated with identity attribute values are defined by the values assigned to those attributes. For example, the Location identity attribute might have a value for each city in which your enterprise has an office, such as Austin, New_York, and London. In that case, there are three groups created, Austin, New_York, and London, one for each value of the attribute, and each containing the identities that have the corresponding value assigned to Department.

Groups Based on Common Entitlements

Groups based on common entitlements within an application are defined by shared access and are listed under role. An entitlement is either a specific value for an account attribute or a permission. A role is a collection of entitlements that enable an identity to perform certain operations within your enterprise. When the role group attribute is created and enabled, each role becomes a group consisting of all identities that share the entitlements that make up that role. Identities assigned entitlements that do not combine to match the criteria of a role are assigned to the group No role. Th Global group contains all identities.

Group Tab

The Groups table contains a list of the high-level containers, or group factories, that contain the actual groups used within IdentityIQ. Each group factory is associated with either an identity attribute or an entitlement within an application. These group factories are not groups themselves, but are used to define, maintain, and enable groups.

The Group tab contains the following information:

Column Name Description
Name The name assigned to the group factory when it was created.
Attribute The attribute used to define the groups within the group factory.
Description Description of the group factory or the groups contained within.
Status The status of the groups within the group factory, enable (check mark) or disabled (exclamation mark).
This status controls all of the groups contained within this group factory.

Click on a group factory or right-click and select edit to display the Edit Group page. The Edit Group page contains the group factory information from the table and a list of the groups associated with the group factory. For example, for a Manager group factory the table contains a row for every value assigned to the manager attribute in IdentityIQ. See Edit Group Page.

To create a new group, click Create New Group to open the Edit Group page.

To delete a group factory, right-click and select Delete.

Edit Group Page

This page is used to enable or disable all of the groups contained within a group factory, recreate a group factory that has been deleted, and view the groups that make up a group factory. Creating multiple group factories of the same type produces identical results when a task is run that updates group information. For example, if you create three (3) group factories, X, Y, and Z and specify the Department attribute for each, you receive identical results for all three group factories when you run a task that updates group information.

The Edit Group page contains the following information:

Group Information

Name - The name assigned to the group factory when it was created.

Group Attribute - The attribute used to define the groups within the group factory.

Description - Description of the group factory or the groups contained within.

Enabled / Disabled - The status of the groups within the group factory, Enabled or Disabled.

This status controls all of the groups contained within this group factory.

  • Enable – the groups are active and available for use and activity searching.
  • Disabled – the groups exist, but are not included in statistical tracking or available on the search pages.

Scope - The scope for this group factory. If scope is assigned, only the users that control the designated scope can see this group factory in select lists on pages such as the Certification Schedule or Search pages.
The sub-groups associated with this application are visible to a user with any or no controlled scope. Depending on configuration settings, objects with no scope assigned might be visible to all users with the correct capabilities.

Sub-Group Information

This information is not displayed until group aggregation is performed by a task.

Name - The name of the group, or the value assigned to the specified attribute.

Member Count - The number of identities matching the group criteria.

Policy Violations - The total number of policy violations for members of the group.

Composite Score - The average composite risk scores of each member of the group.

Owner - The owner of the sub-group, if one is assigned.

Last Updated - The last time a task was run that updated the group information.

Populations Tab

The Populations tab contains a list of populations that either you created from identity searches or that were created by other users and defined as public. Populations are query based groups created from the results of searches run from the Identity Search page. Searches that result in interesting populations of identities can be saved as populations for reuse. Members of a population might not share any of the same identity attributes or account group membership. Population membership is based entirely on identity search parameters.

The Populations tab contains the following information:

Column Name Description
Name The name assigned to the population when it was created.
Description Description of the population.
Visibility If the population is Private or Public.
Private – only visible to the user that created them.
Public – available to any user with access to pages on which they are used and control of the correct scope, if scoping is active.
Owner The name of the population owner, if one is assigned.
Status The status of the population, enable (check mark) or disabled (exclamation mark).
Enable – the populations are active and available for use in activity searching.
Disabled – the populations exist, but are not included in statistical tracking or available on the search pages.

Click on a population or right-click and select edit to display the Edit Population page. The Edit Population page contains the population information and a list of associated identities. See Edit Population Page.

To delete a population, right-click and select Delete.

Edit Population Page

This page is used to edit population information, enable or disable populations, mark populations as private or public, set the scope for the population, and view the identities that make up a population.

Note

Any user that has access to a public population can make changes on that population.

Note

If you mark a public population as private, and you are not the creator of that population, you can no longer see that population.

Click on an identity to display the View Identity page for that user.

That Edit Population page contains the following information:

Group Information

Name - The name assigned to the population when it was created.

Description - Description of the population.

Private - Select or clear the checkbox to specify if the population is private or not private.

  • Private – only visible to the user that created it from the search results page.
  • Not Private – available to any user with access to pages on which they are used and control of the correct scope, if scoping is active.

Enabled / Disabled - Select or clear the checkbox to specify if the population enabled or not enabled.

  • Enable – the populations are active and available for use inactivity searching.
  • Not Enabled – the populations exist, but are not included in statistical tracking or available on the search pages.

Scope - The scope for this population. If scope is assigned, only the users that control the designated scope see this population in select lists on pages such as the Certification Schedule or Search pages. This scope only applies to the population, not the identities contained within.

Owner - Assign an owner for the population.

Population Information

Population Count - The number of identities in IdentityIQ matching the populations search criteria.

Name - The value of the accountId attribute for the identity.

First Name - The value of the firstname attribute for the identity.

Last Name - The value of the lastname attribute for the identity.

Manager - The value of the manager attribute for the identity.

Last Refresh - The date on which the identity was last refreshed.

Workgroups Tab

The Workgroups tab contains a list of workgroups enable the assignment of object ownership, certification, revocations and work items to predefined lists of identities. In addition to grouping Identities you are also able to assign capabilities and scope to these groups of identities so that you do not have to assign the same scopes and capabilities to each individual member of the group.

The Workgroups tab contains the following information:

Column Name Description
Name The name assigned to the workgroups.
Description A short description of the workgroup.
Modified The date and time the workgroup was last modified.

Click on a workgroup or right-click and select edit to display the Edit Workgroup page. The Edit Workgroup page contains the group information and a list of capabilities and members. See Edit Workgroups Page.

To create a new workgroup, click Create Workgroup to open the Edit Workgroup page.

To delete a workgroup from the list, right-click and select Delete.

Edit Workgroups Page

This page is used to edit workgroup information and view the capabilities, scope and members that make up a group.

That Edit Workgroup page contains the following information:

Group Information

Name - The name assigned to the workgroup.

Owner - The owner assigned to this group.

Description - Description of the group.

Scope - The scope for this workgroup. If scope is assigned, only the users that control the designated scope can see this workgroup in select lists on pages such as the Certification Schedule or Search pages. This scope only applies to the workgroup, not the capabilities or identities contained within.

Group Email - Specify the email address assigned to this workgroup. A workgroup email address should be a distribution list. If no address is specified here, notifications are sent to each member of the group. A workgroup email account needs to be created in your email system.

Notification Setting - Specify to whom notifications should be delivered.

If you select Notify members and group email and the group email is a distribution list, the members receive the notification twice.

  • Notify members and group email – send notifications to each group member and the group email address.
  • Notify group email only – send notifications to the group email address but not the individual group members.
  • Notify members only – send notifications to each group member, but not the group email address.
  • Disable notifications – send no notifications to this group. This restriction only applies to items assigned to the workgroup.

Rights

Capabilities - The IdentityIQ capabilities available. The capabilities currently assigned to the workgroup are highlighted on the list. Each member of the group assumes the capabilities of the group, even if different capabilities were assigned to them individually. Use the Ctrl and Shift keys to select multiple capabilities.

Authorized Scope - The scopes controlled by this workgroup. Scope is used to determine the objects to which the members of this group have access.

Control determines access. If scoping is active, the workgroup members can only see objects that are within the scopes controlled by the group.

Assign scopes to the workgroup using the suggestion field at the top of the Authorized Scopes list box. Click the arrow to the right of the suggestion field to display a list of all scopes defined. Enter a few letters in the suggestion field to display a list of all scopes that start with that letter string.
Depending on configuration, objects with no scope assigned might be visible to all users with the correct capabilities.

Can Access Assigned Scope - Select this option to enable the workgroup members to control the scope to which they are assigned. If this option is cleared, the users do not have access to objects within the scope to which the workgroup is assigned. Control determines access. If scoping is active, identities can only see objects that are within the scopes they control.

Members

The list of members of the workgroup. Use the dropdown list at the bottom of the table to select identities and the click Add Member to add members to the workgroup. Use the select boxes to select members and click Remove Members to remove members from the workgroup.