PingOne for Enterprise

Add directory groups and entitlements

Before you begin

You need to be either either a Global Administrator, an Identity Repository Administrator or Group and Entitlement Manager to add directory groups.

About this task

By default, all new users are automatically assigned to the group Users, which has no directory entitlements (users aren’t able to view directory information).

You can add a new group to the PingOne for Enterprise Directory, give the group a meaningful name, and (optionally) assign a directory role to the group. A user’s directory entitlements are inherited from the entitlements from their group memberships. A group’s entitlements derive from the role assigned to the group.

By default all members of all groups have access to all of the applications you add. The applications available to a user are displayed in the PingOne dock. If you’ve added applications to PingOne, when you’re finished adding directory groups, see Authorize group access to applications to control a group’s access to applications.

Regular reviews of group access privileges and memberships helps prevent unauthorized access to critical applications and sensitive data.

Steps

  1. Go to Users → User Directory → Groups.

  2. Click Add Group. The New Group page is displayed.

  3. Enter a name to use for the new group and select the directory role to assign to the group.

    A group can be assigned only one role.

    User Reader

    Groups assigned this role are entitled only to view user and group directory information.

    User Manager

    Groups assigned this role have User Reader entitlements plus the ability to invite and create directory users and modify user attributes, though not group memberships.

    Group and Entitlement Manager

    Groups assigned this role have User Manager entitlements plus the ability to create directory groups, assign entitlements to groups and change group membership.

    Result:

    For all of the roles, the PingOne admin portal application is added to the PingOne dock for each group member. In this case (for all roles), the PingOne admin portal displays only the Users and Groups tabs.

  4. Click Save when you’re finished.

  5. Repeat these steps for any additional groups to add to the directory.

  6. If you’ve added applications to PingOne, see Authorize group access to applications to control a group’s access to applications.