PingOne

About groups and populations

Groups and populations are both used to organize users, but they differ in several ways.

A user can belong to multiple groups, but only one population. A population is a fundamental organizational unit, while groups offer more fine-grained control. For example, you could use a population to contain all your employees and use a group to define subsets, such as Marketing, HR, Contractors, or US Employees.

A population-level group can contain users from that population only, but an environment-level group can contain users from different populations in the same environment.

Internal and external groups

In PingOne, you can have internal groups, which are created and managed in PingOne, or external groups, which are created through a connection to an external identity provider (IdP) or Lightweight Directory Access Protocol (LDAP) gateway.

Internal groups are indicated on the Groups page with the Internal Group icon (p1 internal group icon) and are fully managed in PingOne. You can add, remove, and edit users directly.

You can create internal groups at the population level or the environment level. Administrators who are assigned roles scoped only to the population level can create groups for those populations only and cannot create groups at the environment level.

External groups are indicated on the Groups page with the External Group icon (p1 external group icon) and with badges that indicate how the groups are provisioned (for example, Just-in-time) and from where they are sourced (for example, External IdP or LDAP Gateway). You can view the group membership for external groups in PingOne, but you can’t add group members. Group membership is managed by the corresponding IdP or gateway from which the group originates. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

A screenshot showing the Groups page with several internal groups and one external group. The details pane for the external group is open on the right.

Static and dynamic groups

In PingOne, you can create static groups, dynamic groups, or a combination of both.

With static groups, you add or remove group members manually.

With dynamic groups, members are added based on rules. You’ll set up an expression or filter to determine which users should be included in the group. If you change the filter criteria for a dynamic group, users will be added or removed automatically based on the current criteria in the filter. Likewise, as user attributes change to match or not match the filter, a user will be implicitly added or removed from the group.

Dynamic groups also allow you to add users directly. You can manually add users that do not match the SCIM filter.

For more information, see Creating a group and Managing group membership.

Dynamic group examples

You can use a custom filter to define dynamic internal groups, as in the following examples.

This topic is not applicable to external group membership. External group membership is managed through the source from which the group originates.

Example 1

Filter with a simple Any. Include users from the following country codes:

  • Country Code Equals US

  • Country Code Equals CA

Screen capture of the Create Dynamic Group page showing a filter Any with the Attribute of Country Code.

Example 2

Filter with a simple Any using UUIDs. Include users from the following populations:

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Population ID Equals 20000000-0000-0000-0000-000000000001

Screen capture of the Create Dynamic Group page showing a filter Any with the Attribute Population ID.

Example 3

Filter with an Any and All. Include enabled users from the following populations:

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Enabled Equals True

Screen capture of the Create Dynamic Group page showing a filter of Any and All with the Attributes Population ID and Enabled.

Example 4

Filter with an All and several Any. Include users from either of two populations in Canada, as well as a user with a particular email address.

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Country Code Equals CA

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Country Code Equals CA

  • Email Address Equals admin@example.com

Screen Capture of the Create a Dynamic Group page showing a filter of Any and All with the Attributes Population ID, Country Code and Email Address.

Example 5

Filter with an All and several Any. All users from either of two populations that are in the US and also in the Sales department, as well as a user with a particular email address. Note that the Department attribute is a custom attribute.

  • Population ID Equals 10000000-0000-0000-0000-000000000001

  • Country Code Equals US

  • Department Equals Sales

  • Population ID Equals 20000000-0000-0000-0000-000000000001

  • Country Code Equals US

  • Department Equals Sales

  • Email Address Equals admin@example.com

A Screen Capture of the Create Dynamic Group page showing a filter of All and Any with the Attributes Population ID, Country Code, Department and Email Address.

Learn more in Managing group membership.

Nested groups

A nested group is a group that is a member of another group.

Use nested groups to allow inheritance of membership and application access from one group to its subgroups. For more information, see Application access control.

You cannot nest an environment-level group inside a population-level group.

For example, assume an environment has three groups: Group A, Group B, and Group C. Each group has access to a single application: Group A has access to App1, Group B has access to App2, and Group C has access to App3.

If you nest Group B inside of Group A, and Group C inside of Group B, then application access will be as follows:

  • Group A has access to App1.

  • Group B has access to App1 and App2.

  • Group C has access to App1, App2, and App3.

The following diagram illustrates this example.

Nested groups diagram

Circular references

You can also nest groups inside their subgroups. Continuing the previous example, if you add Group A as a subgroup of Group C, creating a circular reference, then all three groups will have access to all three applications.

Group roles

To make permissions management easier, you can assign roles to groups and individual users.

Using group roles, you can:

  • Manage roles for multiple users at once.

  • Apply role changes in bulk.

  • See users that have a certain role by viewing group members.

    You can use roles to manage permissions for groups of administrators. Learn more in Managing administrators.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. Learn more in Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

  • You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.

  • An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.

  • You cannot assign roles to a group that you are a member of.

  • You cannot add or remove yourself from a group that has roles assigned to it.

  • Roles assigned to a group will not affect roles that are assigned to a user individually.

  • You can assign roles in up to 500 groups.