eADM
eADM
Breadcrumbs

How to create a rule for direct group membership

You can add users directly to a group, bypassing the standard access management process. This method links a rule set directly to a group, which automatically adds users who meet the rule's criteria during the next synchronization cycle.


When to use direct membership

Direct membership is a simplified way to manage groups, but it offers less visibility and manual control than using the full access management feature.

  • Use direct membership for groups where:

    • There are no exceptions to the membership criteria.

    • It is not necessary for the end user or their manager to be explicitly notified of the access.

    • Examples include "all employees" groups, printer groups, or groups used to enforce multi-factor authentication (MFA). This is also suitable for groups that are primarily relevant to IT staff.

  • Use the standard access management feature when:

    • You need to be able to manually add or remove individual users from the group.

    • It is important that the access grant is visible to the end user in their profile.

    • An example is an access group for a specific business system.


Note: Identum generally recommends using the access management feature for all group administration to ensure better control and visibility.


Configuration

Follow these steps to configure a direct membership rule for a group, using "GS-AllUsers" as an example.


  1. Prepare the rule set. Find an existing rule set or create a new one that defines the members of the group. The name of the rule set should include the name of the group to which it applies. For example: "Membership Rule: GS-AllUsers".


  1. Edit the target group

    1. Go to Groups.

    2. Search for and select the group you want to configure.

    3. Click Edit.


  1. Link the rule set

    1. Go to the " Optional synchronization fields " tab.

    2. Click + Add synchronization field.

    3. From the field dropdown list, select MemberRuleSetId.

    4. In the value dropdown list that appears, select the rule set you prepared in step 1.


  1. Save changes. Click Save. The users who meet the criteria in the rule set will be added to the group during the next synchronization cycle.