PingOne groups correspond to groups in the user repository associated with your identity bridge. When a user signs on (SSO), their group information from the identity bridge is matched to a corresponding PingOne group. This enables you to authorize user access to cloud applications based on their group membership.
When you authorize applications for a group, those applications displayed in the PingOne dock for all members of the group and are available only to the group members. Any applications that you do not assign to a group are available to all users, but aren't displayed in the PingOne dock. Instead, users can SSO to these applications using the SSO URL assigned to the application.