--- title: Add directory groups and entitlements description: You need to be either either a Global Administrator, an Identity Repository Administrator or Group and Entitlement Manager to add directory groups. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_p1d_groups_entitlements canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_p1d_groups_entitlements.html revdate: March 2, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result: --- # Add directory groups and entitlements ## Before you begin You need to be either either a Global Administrator, an Identity Repository Administrator or Group and Entitlement Manager to add directory groups. ## About this task By default, all new users are automatically assigned to the group `Users`, which has no directory entitlements (users aren't able to view directory information). You can add a new group to the PingOne for Enterprise Directory, give the group a meaningful name, and (optionally) assign a directory role to the group. A user's directory entitlements are inherited from the entitlements from their group memberships. A group's entitlements derive from the role assigned to the group. By default all members of all groups have access to all of the applications you add. The applications available to a user are displayed in the PingOne dock. If you've added applications to PingOne, when you're finished adding directory groups, see [Authorize group access to applications](p14e_authorize_group_access_applications.html) to control a group's access to applications. By default, all PingOne for Enterprise administrative users are assigned to a group called `Domain Administrators`. This group is read-only and can't be directly modified. Learn how to change your administrators' permissions in [Assign administrative roles](p14e_assign_administrative_roles.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | Regular reviews of group access privileges and memberships helps prevent unauthorized access to critical applications and sensitive data. | ## Steps 1. Go to **Users > User Directory > Groups**. 2. Click **Add Group**. The New Group page is displayed. 3. Enter a name to use for the new group and select the directory role to assign to the group. A group can be assigned only one role. * User Reader Groups assigned this role are entitled only to view user and group directory information. * User Manager Groups assigned this role have User Reader entitlements plus the ability to invite and create directory users and modify user attributes, though not group memberships. * Group and Entitlement Manager Groups assigned this role have User Manager entitlements plus the ability to create directory groups, assign entitlements to groups and change group membership. ### Result: For all of the roles, the PingOne admin portal application is added to the PingOne dock for each group member. In this case (for all roles), the PingOne admin portal displays only the **Users** and **Groups** tabs. 4. Click **Save** when you're finished. 5. Repeat these steps for any additional groups to add to the directory. 6. If you've added applications to PingOne, see [Authorize group access to applications](p14e_authorize_group_access_applications.html) to control a group's access to applications.