PingOne

Managing group membership

About this task

You can define group members manually, dynamically, or using a combination of both.

To include members dynamically, you create a filter that defines which users should be in the group. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

  2. Click the group entry to open the details panel.

  3. On the Users tab, follow the instructions for your preferred method.

    You can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

    • Manually from Groups

    • Dynamically from Groups

    • Manually from Users

    • Using Advanced SCIM Mode

    Adding or removing users manually from the Groups page

    Use the Groups details page to add or remove members manually. You can also add users to a group from the Users details page.

    Steps

    1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

    2. Click the group entry to open the details panel.

    3. On the Users tab, click Add Individually.

      If the group already has users, click the Pencil icon, and then click Edit Users.

    4. Click the All Users tab.

      Result:

      All available users are shown in the All Users list.

    5. Do one or more of the following:

      • To add a user, select the checkbox for the appropriate user.

      • To remove a user, clear the checkbox for the appropriate user.

        If a user is a member of a group because of a filter match, the user is shown in the Members list. However, you can’t manually remove a member of a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

        Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

    6. Click Save.

    Adding or removing users dynamically from the Groups page

    Use the Groups details page to add or remove members dynamically based on a filter.

    If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

    Steps

    1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

    2. Click the group entry to expand the details panel.

    3. Click the Users tab, and then click Add with a Filter.

      If the group already has users, click the Pencil icon, and then click Edit Users Filter.

    4. In the Create Dynamic Group window, define the filter that will determine group membership.

      You can find examples of filter expressions in Dynamic group examples.

    5. Enter the first condition:

      Attribute

      The user attribute to filter on.

      Boolean attributes support the Equals operator only, because they are either true or false.
      Operator

      Select Equals, Starts with, Ends with, or Contains.

      Value

      Enter the appropriate value.

      A screen capture of Create Dynamic Group page, showing a condition or filter that identifies a certain category of users.

    6. If needed, click Add, and then click Condition to add another condition.

    7. Select All or Any to determine how the linked conditions will be evaluated: Boolean logical All or Any.

      All filters in the same condition block must use the same logical operator.

    8. Continue adding conditions or condition blocks as needed.

    9. Click Save Filtered Users.

      Result:

      The group is updated with any users that match the expression. If the filter is invalid, you see an error message and no users are added to the group.

    10. Click the Users Matched tab to see the list of filtered users.

    Adding or removing users manually from the Users page

    Use the Users page to manually add or remove users from a group.

    Steps

    1. In the PingOne admin console, go to Directory > Users and browse or search for the user you want to add or remove from a group.

    2. Click the user entry to open the details panel.

    3. Click the Groups tab.

      The list shows current group membership.

    4. Click the Pencil icon.

    5. Do one or more of the following:

      Choose from:

      • To add the user to a group, select the checkbox next to the group name.

      • To remove a user from a group, clear the checkbox next to the group name.

        If a user is in a group due to a filter match, you can’t directly remove the user from a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

        Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

    6. Click Save.

    Adding users using the Advanced (SCIM) Mode editor

    If you prefer to create a SCIM filter directly, you can use Advanced (SCIM) mode to determine which users should be in a group.

    If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

    Steps

    1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

    2. Click the group entry to expand the details panel.

    3. Click the Users tab, and then click Add with a Filter.

      If the group already has users, click the Pencil icon, and then click Edit Users Filter.

    4. In the Create Dynamic Group modal, click Advanced (SCIM) mode.

      If you have defined a filter in Basic mode, the filter will appear as a SCIM filter, although some complex SCIM filters can’t be displayed in Basic mode.

    5. Enter a SCIM filter expression to define members of the group. Learn more in Searching for users using SCIM queries.

    6. Click Save Filtered Users.

      Result:

      The group is updated with any users that match the expression. If the filter is invalid, an error message will appear and no users will be added to the group.

    7. Click the Users matched tab to see the list of filtered users.