Create group

The instructions below are aimed at helping to create Group in OpenIAM. The precess described below is similar to that of Roles creation, described here with the exception of several minor details.

Create a new group

The steps below describe how to create a new group using the Webconsole (admin interface). You can also upload new groups using the synchronization feature (CSV file) or through the OpenIAM Rest API.

To create a new group:

  • Login to the Webconsole and go to Access Control -> Group
  • Go to Create new group from the side menu. You will see the screen below.

Create groups - types

  • From the screen, select the group type from the drown down.
  • Complete the group creation screen as described in the table below.
Field NameDescription
Password policySelect the password policy that should be effective for the systems to be associated with this group. In most cases it is a Default Password Policy.
Group NameUnique name to identify this group.
DescriptionDetails describing this group. The description should be a meaningful and clear statement to end-users, access reviewers and auditors if the system will be used for access certification.
Managed SystemThe Managed System field value should be the system that account will be created in. If you need to manage more than one Managed System with this group, use Group entitlements screen to add other values.
RiskValue of the risk field can be low or high. By default, this value does not impact behavior. Rules can be introduced to leverage this flag, which is often needed for access certification campaigns.
StatusValues are Active or Inactive. They can prevent a group from being used by making it Inactive.
Max. number of usersMaximum number of users that can be members of this group.
Default membership durationDefault period, when a user can be a member of this group. After this period, the user will be removed.
Group parentGroups support inheritance. The Group parent is the immediate group from which entitlements should be inherited.
GUIDGUID which may relate to this group in another application. This is not an OpenIAM generated value.
Group ownerUser or group of people who own this group. This value is often used in request / approval and access certification tasks.
Group adminUser or group of people who administer this role. This value is often used in request / approval and access certification tasks.
Is VisibleFlag is used to hide objects from some groups of administrators who have access to webconsole/self-service. Here, the object becomes available for super security administrators only.
Participate in access certificationFlag is used to determine if this group should be excluded from access certification requests.
All users provisioned to this groupFlag which determines if this group should be granted by default to all users regardless of other criteria.

Create Group - details

The group creation and edit page are template based. It means that you can remove or add the required field at your own discretion and according to your business needs.

To amend the template go to Administration -> Page templates -> Default Role Template and click Edit.

In the screen shown in the figure below, you can add and/or remove a field, make it required and editable as needed.

Group Template - field amendment

As it was mentioned earlier, working with groups is similar to that of working with roles. Hence, to find, import, or for any other functions related to groups, user can make use of same procedure, required for Roles.

To find instruction on how to work with roles go to Roles Manager Overview page.

You can also create groups in bulk via importing them with CSV file. This service is performed using synchronization service in OpenIAM. The importing process is described in the Importing roles section.

**Note. To import groups, follow the same procedure as described in Importing roles section, but use CSV GROUP Example template instead.