PingOne

Managing groups

Create groups, manage group membership, and edit existing groups.

Creating a group

About this task

Use the Groups page to create groups. You can create static and dynamic groups. Learn more in Static and dynamic groups.

You must have the Identity Data Admin role to create or edit groups. With the Identity Data Read Only role, you can view groups and group membership, but you can’t create or edit groups.

Steps

  1. In the PingOne admin console, go to Directory > Groups.

  2. Click the icon.

  3. Enter the following:

    • Group Name: A name for the group. The name must be unique within the environment for environment groups, and unique within a population for population groups.

    • Description (optional): A brief description of the group.

    • Population (optional): The population in which the group will be created. Users with the Environment Admin role can create groups at the environment level, but users with the Identity Admin role must assign a group to a population for which they are an Identity Admin. If you select a population, the group can contain users from that population only.

    • Metadata Properties (optional): Custom metadata properties associated with the group, represented as key-value pairs. To add properties, either:

      • Enter the Name and Value in the corresponding fields.

        Screen capture of the Add Group wizard with the Metadata Properties populated with two values

      • If you want to add complex properties that include JSON object values, or directly write properties as JSON, click Edit JSON and add the key-value data in the editor.

        Screen capture of the edit JSON window in the Metadata Properties section

      To switch back to the field view, click Edit Key-Value-Pairs.

    • To define more than 10 custom properties, you must use the JSON editor.

    • If you define fewer than 10 properties in the JSON editor, the Overview tab displays them in the Name and Value columns. Otherwise, they are displayed as JSON.

    • If you include a JSON object for any property value in the JSON editor, the Overview tab displays the properties as JSON.

  4. Click Save.

Next steps

Add members to your group.

Managing group membership

About this task

You can define group members manually, dynamically, or using a combination of both.

To include members dynamically, you create a filter that defines which users should be in the group. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

  2. Click the group entry to open the details panel.

  3. On the Users tab, follow the instructions for your preferred method.

    You can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  • Manually from Groups

  • Dynamically from Groups

  • Manually from Users

  • Using Advanced SCIM Mode

Adding or removing users manually from the Groups page

About this task

Use the Groups details page to add or remove members manually. You can also add users to a group from the Users details page.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

  2. Click the group entry to open the details panel.

  3. On the Users tab, click Add Individually.

    If the group already has users, click the Pencil icon, and then click Edit Users.

  4. Click the All Users tab.

    Result:

    All available users are shown in the All Users list.

  5. Do one or more of the following:

    • To add a user, select the checkbox for the appropriate user.

    • To remove a user, clear the checkbox for the appropriate user.

      If a user is a member of a group because of a filter match, the user is shown in the Members list. However, you can’t manually remove a member of a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

      Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  6. Click Save.

Adding or removing users dynamically from the Groups page

Use the Groups details page to add or remove members dynamically based on a filter.

If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

  2. Click the group entry to expand the details panel.

  3. Click the Users tab, and then click Add with a Filter.

    If the group already has users, click the Pencil icon, and then click Edit Users Filter.

  4. In the Create Dynamic Group window, define the filter that will determine group membership.

    For examples of filter expressions, see Dynamic group examples.

  5. Enter the first condition:

    Attribute

    The user attribute to filter on.

    Boolean attributes support the Equals operator only, because they are either true or false.
    Operator

    Select Equals, Starts with, Ends with, or Contains.

    Value

    Enter the appropriate value.

    A screen capture of Create Dynamic Group page, showing a condition or filter that identifies a certain category of users.

  6. If needed, click Add, and then click Condition to add another condition.

  7. Select All or Any to determine how the linked conditions will be evaluated: Boolean logical All or Any.

    All filters in the same condition block must use the same logical operator.

  8. Continue adding conditions or condition blocks as needed.

  9. Click Save Filtered Users.

    Result:

    The group is updated with any users that match the expression. If the filter is invalid, you see an error message and no users are added to the group.

  10. Click the Users Matched tab to see the list of filtered users.

Adding or removing users manually from the Users page

Use the Users page to manually add or remove users from a group.

Steps

  1. In the PingOne admin console, go to Directory > Users and browse or search for the user you want to add or remove from a group.

  2. Click the user entry to open the details panel.

  3. Click the Groups tab.

    The list shows current group membership.

  4. Click the Pencil icon.

  5. Do one or more of the following:

    Choose from:

    • To add the user to a group, select the checkbox next to the group name.

    • To remove a user from a group, clear the checkbox next to the group name.

      If a user is in a group due to a filter match, you can’t directly remove the user from a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

      Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  6. Click Save.

Adding users using the Advanced (SCIM) Mode editor

About this task

If you prefer to create a SCIM filter directly, you can use Advanced (SCIM) mode to determine which users should be in a group.

If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to which you want to add users.

  2. Click the group entry to expand the details panel.

  3. Click the Users tab, and then click Add with a Filter.

    If the group already has users, click the Pencil icon, and then click Edit Users Filter.

  4. In the Create Dynamic Group window, click Advanced (SCIM) mode.

    If you have defined a filter in Basic mode, the filter will appear as a SCIM filter, although some complex SCIM filters cannot be displayed in Basic mode.

  5. Enter a SCIM filter expression to define members of the group. Learn more in SCIM filter language.

  6. Click Save Filtered Users.

    Result:

    The group is updated with any users that match the expression. If the filter is invalid, an error message will appear and no users will be added to the group.

  7. Click the Users matched tab to see the list of filtered users.

Creating a nested group

Before you begin

You must create the groups before you can nest them. For more information, see Nested groups and Creating a group.

About this task

Use the Groups page to nest groups within other groups.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to use as the parent group.

  2. Click the group entry to expand the details panel.

  3. On the Groups tab, do one of the following:

    Choose from:

    • If the parent group doesn’t have any nested groups, click Manage Groups.

    • If the parent group already has nested groups, click the Pencil icon.

  4. Select the checkbox next to the group that you want to nest.

  5. Click Save.

Removing a nested group

About this task

Use the Groups page to remove a nested group from a parent group.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group to use as the parent group.

  2. Click the group entry to expand the details panel.

  3. Click the Groups tab.

  4. Click the Pencil icon and clear the checkbox next to the group you want to remove.

  5. Click Save.

Managing group roles

About this task

Roles are a collection of permissions that can be assigned to a user or group. You can add, remove, or limit the scope of roles for groups from the Groups page. Group role assignment is a convenient way to manage administrator access. Learn more about the capabilities of each role in Administrator Roles.

Steps

  1. In the PingOne admin console, go to Directory > Groups.

  2. Click an existing group entry to open the details panel, or create a new group.

  3. Click the Roles > Administrator Roles tab.

    If roles are assigned, they’re listed here with information about where those roles apply. For example, in the following image, BX User has the Application Owner role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the Environment Admin role, and they have that role in three environments.

    You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations.
    A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.

    Click the Info icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned.
    Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.

  4. Click Grant Roles.

    The Available Responsibilities tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level.

    The Granted Responsibilities tab lists any roles that are currently assigned.

  5. On the Available Responsibilities tab, click the role that you want to assign or change and perform any combination of the following:

    1. To assign the role, select the checkboxes next to the applicable environments.

      Click Select All or Remove All to select or clear all available responsibilities.

    2. To remove a role assignment, clear the checkboxes next to the applicable environments.

    3. To grant this access for only a portion of the environment, click the Reduce Access icon (image of reduce access icon), select a subset of the available applications or populations on the Limit Access page, and click Confirm.

      A screen capture of the Limit Access page showing one population selected out of three populations

      You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under Available Responsibilities). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.

      Learn more about the permissions associated with each role in Roles.

  6. Click Save.

Result

The role assignments you selected are listed on the Granted Responsibilities tab.

Next steps

Learn more about role assignment using external groups in Managing administrator roles using external groups.

Editing a group

About this task

Use the Groups page to edit existing groups in the PingOne Directory.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group you want to edit.

  2. Click the group entry to expand the details panel.

  3. On the Overview tab, edit the group name, description, or metadata properties. Learn more in Creating a group.

  4. On the Users tab, edit the group membership. You can add users manually, dynamically, or a combination of both. Learn more in Managing group membership.

    You can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  5. On the Groups tab, edit the nested groups. Learn more in Nested groups.

  6. On the Roles tab, edit the group roles. Learn more in Group roles.

  7. Click the X in the upper right to close the group details panel.

Deleting a group

About this task

Use the Groups page to remove a group you no longer need.

Steps

  1. In the PingOne admin console, go to Directory > Groups and browse or search for the group you want to delete.

  2. On the right side of the group entry, click the More options (⋮) icon and then click Delete.

  3. In the confirmation message, click Delete.