eADM
eADM
Breadcrumbs

How to create a rule for direct group membership

You can add users directly to a group, bypassing the standard access management process. This method links a rule set directly to a group, which automatically adds users who match the rule's criteria during the next synchronization cycle.


When to use direct membership

Direct membership is a simplified way to manage groups, but it offers less visibility and manual control than using the full access management feature.

  • Use direct membership for groups where:

    • There are no exceptions to the membership criteria.

    • It is not critical for the end-user or their manager to be explicitly notified of the access.

    • Examples include "all employees" groups, printer groups, or groups for enforcing Multi-Factor Authentication (MFA). This is also suitable for groups that are primarily relevant to IT staff.

  • Use the standard access management feature when:

    • You need the ability to manually add or remove individual users from the group.

    • It is important that the access grant is visible to the end-user in their profile.

    • An example is an access group for a specific business system.


Note: Identum generally recommends using the access management feature for all group administration to ensure better control and visibility.


Configuration

Follow these steps to configure a direct membership rule on a group, using "GS-AllUsers" as an example.


  1. Prepare the rule set. Find an existing or create a new rule set that defines the members of the group. The name of the rule set should include the name of the group it applies to. For example: "Membership Rule: GS-AllUsers".


  1. Edit the target group

    1. Navigate to Groups.

    2. Search for and select the group you want to configure.

    3. Click Edit.


  1. Link the rule set

    1. Go to the Optional synchronization fields tab.

    2. Click + Add synchronization field.

    3. From the field dropdown list, select MemberRuleSetId.

    4. In the value dropdown list that appears, select the rule set you prepared in step 1.


  1. Save changes. Click Save. The users who match the criteria in the rule set will be added to the group during the next synchronization cycle.