Use this task to add a group to another group.
To assign groups directly to a group
- OR -
Remove assignments to groups in Remove assignments.
|Configuration parameter||Active Meaning|
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. The database has to be recompiled after changes have been made to the parameter.
When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.
The effect of the assignments is mapped in the tables
Clara Harris has a user account in this
By using suitable controls, you want to prevent an employee from
|Effective Group||Excluded Group|
|Group B||Group A|
|Group C||Group B|
|Employee||Member in Role||Effective Group|
|Ben King||Marketing||Group A|
|Jan Bloggs||Marketing, finance||Group B|
|Clara Harris||Marketing, finance, control group||Group C|
|Jenny Basset||Marketing, control group||Group A, Group C|
Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive.
|Employee||Member in Role||Assigned Group||Excluded Group||Effective Group|
|Control group||Group C||Group B
To exclude a group
- OR -
Remove the conflicting groups that are no longer mutually exclusive in Remove assignments.
Groups and be selectively inherited by user accounts and contacts in One Identity Manager. The groups and user accounts (contacts) are divided into categories in the process. The categories can be freely selected and are specified by a template. Each category is given a specific position within the template. The formatting rule contains tables which map the user accounts (contact) and the groups. Specify your categories for user account (contacts) in the table for user accounts (contacts). Enter your categories fro groups in the group table. Each table contains the category items "Position1" to "Position31".
Every user account (contact) can be assigned to one or more categories. Each group can also be assigned to one or more categories. The structural profile is inherited by the user account (contact) when at least one user account (contact) category item matches an assigned structural profile. If the group or user account (contact) is not in classified into categories, the group is also inherited by the user account (contact).
NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when assigning groups to user accounts and contacts.
|Category Position||Categories for User Accounts||Categories for Groups|
|1||Default user||Default permissions|
|2||System user||System user permissions|
|3||System administrator||System administrator permissions|
Figure 2: Example of inheriting through categories.
To use inheritance through categories
It is possible to define more account policies for the default domain's password policies if the domains have the functional level "Windows Server 2008 R2" or higher. This allows individual users and groups to be subjected to stricter account policies as intended for global groups.
To specify account policies for a group
- OR -
Remove the account policies in Remove assignments.