In order for SharePoint Online user groups to obtain permissions for individual websites, assign SharePoint Online roles to the groups. SharePoint Online roles and groups must belong to the same site collection.
NOTE: SharePoint Online roles with the Hidden option enabled that reference permission levels, cannot be assigned to groups.
To assign groups to a SharePoint Online role
-
In the Manager, select the SharePoint Online | Roles category.
-
Select the role in the result list.
-
Select the Assign groups task.
-
In the Add assignments pane, assign groups.
TIP: In the Remove assignments pane, you can remove the assignment of groups.
To remove an assignment
- Select the group and double-click .
- Save the changes.
Related topics
Table 15: Configuration parameters for conditional inheritance
QER | Structures | Inherite | GroupExclusion |
Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to this parameter require the database to be recompiled. |
When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.
It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.
NOTE:
- You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
- You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
The effectiveness of the assignments is mapped in the O3SUserInO3SGroup and O3SBaseTreeHasGroup tables by the XIsInEffect column.
Example of the effect of group memberships
- Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.
Clara Harris has a user account in this site collection. She primarily belongs to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.
By using suitable controls, you want to prevent an employee from obtaining authorizations of groups A and group B at the same time. That means, groups A, B, and C are mutually exclusive. A user, who is a member of group C cannot be a member of group B at the same time. That means, groups B and C are mutually exclusive.
Table 16: Specifying excluded groups (O3SGroupExclusion table)
Group A |
|
Group B |
Group A |
Group C |
Group B |
Table 17: Effective assignments
Ben King |
Marketing |
Group A |
Jan Bloggs |
Marketing, finance |
Group B |
Clara Harris |
Marketing, finance, control group |
Group C |
Jenny Basset |
Marketing, control group |
Group A, Group C |
Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the "control group" business role at a later date, group B also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. If this should not be allowed, define further exclusion for group C.
Table 18: Excluded groups and effective assignments
Jenny Basset
|
Marketing |
Group A |
|
Group C
|
Control group |
Group C |
Group B
Group A |
Prerequisites
To exclude a group
-
In the Manager, select the SharePoint Online | Groups category.
- Select a group in the result list.
-
Select the Exclude groups task.
-
In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.
- OR -
In the Remove assignments pane, remove the groups that are not longer mutually exclusive.
- Save the changes.
In One Identity Manager, groups can be selectively inherited by user accounts. For this purpose, the groups and the user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The template contains two tables; the user account table and the group table. Use the user account table to specify categories for target system dependent user accounts. In the group table enter your categories for the target system-dependent groups. Each table contains the Position 1 to Position 31 category positions.
Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category items matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts.
Table 19: Category examples
1 |
Default user |
Default permissions |
2 |
System users |
System user permissions |
3 |
System administrator |
System administrator permissions |
Figure 2: Example of inheriting through categories.
To use inheritance through categories
- Define the categories in the site collection.
- Assign categories to user accounts through their master data.
- Assign categories to groups through their master data.
Related topics
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Examples
- If the report is created for a resource, all roles are determined in which there are employees with this resource.
- If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
- If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
- If the report is created for a department, all roles are determined in which employees of the selected department are also members.
- If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
Figure 3: Toolbar of the Overview of all assignments report.
Table 20: Meaning of icons in the report toolbar
|
Show the legend with the meaning of the report control elements |
|
Saves the current report view as a graphic. |
|
Selects the role class used to generate the report. |
|
Displays all roles or only the affected roles. |