--- title: Managing groups description: The administrative scope for users determines which users are visible to the group administrator. component: pingdirectory version: 11.0 page_id: pingdirectory:delegated_admin_application_guide:pd_da_manage_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_manage_groups.html revdate: October 5, 2023 section_ids: example: Example set-group-attributes: Set group attributes set-group-search-filter: Set group search filter rename-the-members-and-nonmembers-columns: Rename the Members and Nonmembers columns --- # Managing groups The administrative scope for users determines which users are visible to the group administrator. You can use `dsconfig` to delegate a user as a group administrator. An administrator can be configured to edit users and manage group memberships. When configuring an administrator, consider the following: * The group administrator can view, add, and remove any of the users within their administrative scope to the membership of groups within the groups' administrative scope. * Static groups can be nested. * Users who belong indirectly to a group through nesting are visible as group members but cannot be removed. * Users can be removed only from the groups of which they are a member. For example, an Employees group might include a Developers group as a nested member. In this scenario, a user in the Developers group is a direct member of that group and an indirect member of Employees. This member can be removed only when viewing the Developers group, not when viewing the Employees group. * If a group is configured as a dynamic or virtual static group rather than a static group, then the group and its members are visible, but the group membership cannot be modified. ## Example In the following example, all users in the subtree `ou=org1,dc=example,dc=com` are visible: ```shell $ bin/dsconfig create-delegated-admin-rights \ --rights-name group-admin1 \ --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com" --set enabled:true $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name group-admin1 \ --rest-resource-type groups \ --set admin-scope:resources-in-specific-subtrees \ --set "resource-subtree:ou=Groups,dc=example,dc=com" \ --set admin-permission:manage-group-membership \ --set admin-permission:create \ --set admin-permission:read \ --set admin-permission:update \ --set admin-permission:delete \ --set enabled:true $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name group-admin1 \ --rest-resource-type users \ --set admin-scope:resources-in-specific-subtrees \ --set "resource-subtree:ou=org1,dc=example,dc=com" \ --set admin-permission:read \ --set enabled:true ``` ## Set group attributes The default settings for group attributes specify `cn` and `description` as group attributes, with `cn` used for the group title in Delegated Admin. To create the default settings, use the following commands with a search DN and parent DN (`"dc=example,dc=com"`): ```shell $ bin/dsconfig create-rest-resource-type \ --type group \ --type-name groups \ --set "display-name:Groups" \ --set enabled:false \ --set "search-base-dn:dc=example,dc=com" \ --set primary-display-attribute-type:cn \ --set resource-endpoint:groups \ --set "search-filter-pattern:(cn=%%)" \ --set structural-ldap-objectclass:groupOfUniqueNames --set parent-dn:dc=example,dc=com $ bin/dsconfig create-delegated-admin-attribute \ --type-name groups \ --attribute-type cn \ --set "display-name:Name" $ bin/dsconfig create-delegated-admin-attribute \ --type-name groups \ --attribute-type description \ --set "display-name:Description" $ bin/dsconfig set-rest-resource-type-prop \ --type-name groups \ --set enabled:true ``` ## Set group search filter When entering text to search for groups, the groups' `search-filter-pattern` property specifies the attributes to be searched in PingDirectory server. To satisfy the query, define the appropriate attribute indexes for PingDirectory server. The default setting searches the attribute `cn` for the search text, which is represented by `%%`. Use the following command to set the group search filter: ```shell $ bin/dsconfig set-rest-resource-type-prop \ --type-name groups \ --set 'search-filter-pattern:(cn=%%)' ``` ## Rename the **Members** and **Nonmembers** columns An administrator can assign custom names for **Members** and **Nonmembers** columns in the Delegated Admin application for the following rest resource types: * Groups * Users * Generic rest resource types To set these column titles, run `dsconfig set-rest-resource-type-prop`: ``` dsconfig set-rest-resource-type-prop \ --type-name users \ --set "members-column-name:" \ --set "nonmembers-column-name:" ```