PingOne

Managing groups

Create groups, manage group membership, and edit existing groups.

Creating a group

About this task

Use the Groups page to create groups. You can create static and dynamic groups. See Static and dynamic groups.

You must have the Identity Data Admin role to create or edit groups. With the Identity Data Read Only role, you can view groups and group membership, but you can’t create or edit groups.

Steps

  1. Go to Directory → Groups.

  2. Click the icon.

  3. Enter the following:

    • Group name: A name for the group. The name must be unique within the environment for environment groups, and unique within a population for population groups.

    • Description (optional): A brief characterization of the group.

    • Population (optional): The population in which the group will be created. Users with the Environment Admin role can create groups at the environment level, but users with the Identity Admin role must assign a group to a population for which they are an Identity Admin. If you select a population, the group can contain users from that population only.

    • Metadata Properties (optional): Custom metadata properties associated with the group, represented as key-value pairs. To add properties, either:

      • Enter the Name and Value in the corresponding fields.

        Screen capture of the Add Group wizard with the Metadata Properties populated with two values
      • If you want to add complex properties that include JSON object values, or directly write properties as JSON, click Edit JSON and add the key-value data in the editor.

        Screen capture of the edit JSON window in the Metadata Properties section

      To switch back to the field view, click Edit Key-Value-Pairs.

    • To define more than 10 custom properties, you must use the JSON editor.

    • If you define fewer than 10 properties in the JSON editor, the Overview tab displays them in the Name and Value columns. Otherwise, they are displayed as JSON.

    • If you include a JSON object for any property value in the JSON editor, the Overview tab displays the properties as JSON.

  4. Click Save.

Next steps

Add members to your group.

Managing group membership

About this task

You can define group members manually, dynamically, or using a combination of both.

To include members dynamically, you create a filter that defines which users should be in the group. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. Go to Directory > Groups.

  2. Locate the group to which you want to add users.

    You can browse or search for groups.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Users tab.

    If the group already has members, click the Pencil icon to edit membership using Add/Remove users or Edit using filter.

  5. To add users to the group, follow the instructions for your preferred method.

    You can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  • Manually from Groups

  • Dynamically from Groups

  • Manually from Users

  • Using Advanced SCIM Mode

Adding or removing users manually from the Groups page

About this task

Use the Groups details page to add or remove members manually. You can also add users to a group from the Users details page.

Steps

  1. Go to Directory > Groups.

  2. Locate the group to which you want to add users.

    You can browse or search for groups.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Users tab.

  5. Click the Add Individually button.

    If the group already has users, click the Pencil icon, and then click Add/Remove Users.

  6. Click the All Users tab.

    Result:

    All available users are shown in the All Users list.

  7. Do one of more of the following:

    • To add a user, click the icon for the appropriate user.

    • To remove a user, click the checkmark for the appropriate user.

      If a user is a member of a group because of a filter match, the user is shown in the Members list. However, you can’t manually remove a member of a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

      Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  8. Click Save.

Adding or removing users dynamically from the Groups page

About this task

Use the Groups details page to add or remove members dynamically based on a filter.

If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. Go to Directory → Groups.

  2. Locate the group to which you want to add users.

    You can browse or search for groups. The results list is updated as you enter the search query.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Users tab, and then click Add with a Filter.

    If the group already has users, click the pencil icon, and then click Edit Users Filter.

  5. In the Create Dynamic Group window, define the filter that will determine group membership.

    For examples of filter expressions, see Dynamic group examples.

  6. Enter the first condition:

    Attribute

    The user attribute to filter on.

    Boolean attributes support the Equals operator only, because they are either true or false.

    Operator

    Select Equals, Starts with, Ends with, or Contains.

    Value

    Enter the appropriate value.

    A screen capture of Create Dynamic Group page, showing a condition or filter that identifies a certain category of users.
  7. If needed, click Add, and then click Condition to add another condition.

  8. Select All or Any to determine how the linked conditions will be evaluated: Boolean logical All or Any.

    All filters in the same condition block must use the same logical operator.

  9. Continue adding conditions or condition blocks as needed.

  10. Click Save Filtered Users.

    Result:

    The group is updated with any users that match the expression. If the filter is invalid, you see an error message and no users are added to the group.

  11. Click the Users Matched tab to see the list of filtered users.

Adding or removing users manually from the Users page

About this task

Use the Users page to manually add or remove users from a group.

Steps

  1. Go to Directory > Groups.

  2. Locate the user you want to view.

    You can browse or search for users. The results list is updated as you enter the search query.

  3. Click the user entry to open the details panel.

  4. Click the Groups tab.

    The list shows current group membership.

  5. Click the Pencil icon.

  6. Do one or more of the following:

    Choose from:
    • To add the user to a group, select the checkbox next to the group name.

    • To remove a user from a group, clear the checkbox next to the group name.

      If a user is in a group due to a filter match, you can’t directly remove a user that was added to a dynamic group. To remove a user from a dynamic group, change the filter criteria or modify user attributes to no longer match the filter criteria.

      Additionally, you can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  7. Click Save.

Adding users using the Advanced (SCIM) Mode editor

About this task

If you prefer to create a SCIM filter directly, you can use Advanced (SCIM) mode to determine which users should be in a group.

If new users are added, or existing users are updated, the group membership is updated automatically based on the criteria in the filter. If you create a dynamic group, you can still add users to the group manually.

Steps

  1. Go to Directory → Groups.

  2. Locate the group to which you want to add users. You can browse or search for groups.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Members tab and then click Add members dynamically.

  5. In the Create Dynamic Group window, click Advanced (SCIM) mode.

    If you have defined a filter in Basic mode, the filter will appear as a SCIM filter, although some complex SCIM filters cannot be displayed in Basic mode.

  6. Enter a SCIM filter expression to define members of the group. For more information, see SCIM filter language.

  7. Click Save Filtered Users.

    Result:

    The group is updated with any users that match the expression. If the filter is invalid, an error message will appear and no users will be added to the group.

  8. Click the Users matched tab to see the list of filtered users.

Creating a nested group

Before you begin

You must create the groups before you can nest them. For more information, see Nested groups and Creating a group.

About this task

Use the Groups page to nest groups within other groups.

Steps

  1. Go to Directory → Groups.

  2. Locate the group that you want to be the parent group. You can browse or search for groups.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Groups tab.

  5. Do one of the following:

    Choose from:

    • If the parent group doesn’t have any nested groups, click Add groups manually. Locate the group that you want to nest, and then click the icon.

    • If the parent group already has nested groups, click the Pencil icon and then click Add/remove groups. Locate the group that you want to nest, and then click the icon.

      Result:

    The icon changes to a checkmark when the group has been added.

  6. Click Save.

Removing a nested group

About this task

Use the Groups page to remove a nested group from a parent group.

Steps

  1. Go to Directory → Groups.

  2. Locate the parent group. You can browse or search for groups.

  3. Click the appropriate group name to expand the details pane.

  4. Click the Groups tab.

  5. Click the Pencil icon and then click Add/remove groups.

  6. Locate the group that you want to remove, and then click the check mark.

    Result:

    The checkmark changes to a icon after the group is removed.

  7. Click Save.

Managing group roles

About this task

Roles are a collection of permissions that can be assigned to a user or group. You can add, remove, or limit the scope of roles for groups from the Groups page. Group role assignment is a convenient way to manage administrator access. Learn more about the capabilities of each role in Administrator Roles.

Steps

  1. Go to Directory → Groups.

  2. Click an existing group entry to open the details panel, or create a new group.

    Learn more in Creating a group.

  3. Click the Roles → Administrator Roles tab.

    If roles are assigned, they’re listed here with information about where those roles apply. For example, in the following image, BX User has the Application Owner role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the Environment Admin role, and they have that role in three environments.

    You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations.

    A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.

    Click the Info icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned.

    Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.
  4. Click Grant Roles.

    The Available Responsibilities tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level.

    The Granted Responsibilities tab lists any roles that are currently assigned.

  5. On the Available Responsibilities tab, click the role that you want to assign or change and perform any combination of the following:

    1. To assign the role, select the checkboxes next to the applicable environments.

      Click Select All or Remove All to select or clear all available responsibilities.

    2. To remove a role assignment, clear the checkboxes next to the applicable environments.

    3. To grant this access for only a portion of the environment, click the Reduce Access icon (image of reduce access icon), select a subset of the available applications or populations on the Limit Access page, and click Confirm.

      A screen capture of the Limit Access page showing one population selected out of three populations

      You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under Available Responsibilities). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.

      Learn more about the permissions associated with each role in Roles.

  6. Click Save.

Result

The role assignments you selected are listed on the Granted Responsibilities tab.

Next steps

Learn more about role assignment using external groups in Managing administrator roles using external groups.

Editing a group

About this task

Use the Groups page to edit existing groups in the PingOne Directory.

Steps

  1. Go to Directory → Groups.

  2. Locate the group that you want to edit. You can browse or search for groups.

  3. Click the group entry to open the details panel.

  4. On the Overview tab, review the group settings.

  5. On the Users tab, edit the group membership. You can add users manually, dynamically, or a combination of both. Learn more in Managing group membership.

    You can’t add users to an external group in PingOne. Group membership is managed by the group source. You can remove users, but the user might be added back into the group automatically the next time the group is synced with the source.

  6. On the Groups tab, edit the nested groups. Learn more in Nested groups.

  7. On the Roles tab, edit the group roles. Learn more in Group roles.

  8. Click the X in the upper right to close the group details panel.

Deleting a group

About this task

Use the Groups page to remove a group you no longer need.

Steps

  1. Go to Directory → Groups.

  2. Locate the group that you want to delete.

    You can browse or search for groups. The results list is updated as you enter the search query.

  3. On the right side of the group label, click the More options menu and then click Delete.

  4. In the confirmation message, click Delete.