PingOne

About groups and populations

Groups and populations are both used to organize users, but they differ in several ways.

A user can belong to multiple groups, but only one population. A population is a fundamental organizational unit, while groups offer more fine-grained control. For example, you could use a population to contain all your employees and use a group to define subsets, such as Marketing, HR, Contractors, or US Employees.

A population-level group can contain users from that population only, but an environment-level group can contain users from different populations in the same environment.

Static and dynamic groups

In PingOne, you can create static groups, dynamic groups, or a combination of both.

With static groups, you add or remove group members manually.

With dynamic groups, members are added based on rules. You’ll set up an expression or filter to determine which users should be included in the group. If you change the filter criteria for a dynamic group, users will be added or removed automatically based on the current criteria in the filter. Likewise, as user attributes change to match or not match the filter, a user will be implicitly added or removed from the group.

Dynamic groups also allow you to add users directly. You can manually add users that do not match the SCIM filter.

For more information, see Creating a group and Managing group membership.

Dynamic group examples

You can use a custom filter to define dynamic groups, as in the following examples.

Example 1

Filter with a simple Any. Include users from the following country codes:

  • Country Code Equals US

  • Country Code Equals CA

Screen capture of the Create Dynamic Group page showing a filter Any with the Attribute of Country Code.

Example 2

Filter with a simple Any using UUIDs. Include users from the following populations:

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Population ID Equals 20000000-0000-0000-0000-000000000001

Screen capture of the Create Dynamic Group page showing a filter Any with the Attribute Population ID.

Example 3

Filter with an Any and All. Include enabled users from the following populations:

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Enabled Equals True

Screen capture of the Create Dynamic Group page showing a filter of Any and All with the Attributes Population ID and Enabled.

Example 4

Filter with an All and several Any. Include users from either of two populations in Canada, as well as a user with a particular email address.

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Country Code Equals CA

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Country Code Equals CA

  • Email Address Equals admin@example.com

Screen Capture of the Create a Dynamic Group page showing a filter of Any and All with the Attributes Population ID, Country Code and Email Address.

Example 5

Filter with an All and several Any. All users from either of two populations that are in the US and also in the Sales department, as well as a user with a particular email address. Note that the Department attribute is a custom attribute.

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Country Code Equals US

  • Department Equals Sales

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Country Code Equals US

  • Department Equals Sales

  • Email Address Equals admin@example.com

A Screen Capture of the Create Dynamic Group page showing a filter of All and Any with the Attributes Population ID, Country Code, Department and Email Address.

For more information, see Managing group membership.

Nested groups

A nested group is a group that is a member of another group.

Use nested groups to allow inheritance of membership and application access from one group to its subgroups. For more information, see Application access control.

You cannot nest an environment-level group inside a population-level group.

For example, assume an environment has three groups: Group A, Group B, and Group C. Each group has access to a single application: Group A has access to App1, Group B has access to App2, and Group C has access to App3.

If you nest Group B inside of Group A, and Group C inside of Group B, then application access will be as follows:

  • Group A has access to App1.

  • Group B has access to App1 and App2.

  • Group C has access to App1, App2, and App3.

The following diagram illustrates this example.

Nested groups diagram

Circular references

You can also nest groups inside their subgroups. Continuing the previous example, if you add Group A as a subgroup of Group C, creating a circular reference, then all three groups will have access to all three applications.

For more information, see Creating a nested group, Removing a nested group, and Managing group membership.

Group roles

To make permissions management easier, you can assign roles to groups and individual users.

Using group roles, you can:

  • Manage roles for multiple users at once.

  • Apply role changes in bulk.

  • See users that have a certain role by viewing group members.

    You can use roles to manage permissions for groups of administrators. Learn more in Managing administrators.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. Learn more in Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

  • You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.

  • An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.

  • You cannot assign roles to a group that you are a member of.

  • You cannot add or remove yourself from a group that has roles assigned to it.

  • Roles assigned to a group will not affect roles that are assigned to a user individually.

  • You can assign roles in up to 500 groups.

Learn more in Creating a group and Managing group membership.