A Group describes a set of CentraSite users. The group always belongs to exactly one organization, but can contain users from different organizations. Groups are visible to all users.
A group can either be managed locally within CentraSite or can be imported from the external authentication system.
Groups can be used for many purposes within CentraSite, including:
Granting roles to specified groups of users.
Granting instance-based permissions to specified groups of users.
Identifying the set of users who can approve certain types of requests.
Identifying the users to which a particular policy action is to be applied.
CentraSite has three main types of groups:
System groups are shipped with CentraSite. When a user is added to CentraSite, CentraSite automatically adds the user to a specified system group depending on the organization to which the user belongs. And when the user is deleted, CentraSite automatically removes that user from the group. The membership of these groups cannot be manually updated or deleted by an administrator. For more information, see System Groups.
Locally managed custom groups are user-defined groups that are defined and maintained within CentraSite.
Externally managed custom groups are user-defined groups that are imported from the external authentication system.
The membership of the following system groups is managed automatically by CentraSite. When you add a new user to CentraSite, CentraSite automatically adds the user to these system groups. When you delete a user from CentraSite, CentraSite automatically deletes the user from these groups. You cannot delete or edit the membership of these groups yourself. You can, however, assign roles and instance-level permissions to these groups.
| This system group... | Contains... |
|---|---|
| Everyone | All users. |
| Users | All users in an organization. Each organization in the registry/repository has a Users group. By default, the Asset Provider and Asset Consumer roles are assigned to this group, which gives these roles to every user in the organization. |
| Members | All users in an organization or any of its descendant organizations (children, children's children and so forth) Each organization in the registry/repository has a Members group. |
Custom groups are groups that you define in CentraSite. A custom group can contain users from any organization in the registry/repository.
You can create a custom group of any one of the following types in CentraSite:
An externally managed custom group.
This is a group that is imported from the external
authentication system. You cannot manually change the membership of such a
group within CentraSite; CentraSite maintains the membership of an
externally managed custom group by automatically synchronizing with the
external authentication system.
After an externally managed group is created, you cannot switch the group to a "locally managed" type of group, nor can you associate it with a different group on the external authentication system.
If the external group includes members who are not existing users of CentraSite, those members will not become CentraSite users as a result of adding the group to CentraSite. If you subsequently add those individuals to CentraSite, however, they will automatically become members of this group.
A locally managed custom group.
This is a group that consists entirely of users who are
registered in CentraSite. The users must be active users (see the section
Active and Inactive
Users for details).
The membership of the group is maintained in CentraSite. You can perform administrative tasks manually on the group in CentraSite, such as adding or removing users from the group.
If you have a locally managed group, you can switch it to an externally managed group. See the section Adding an Externally Managed Custom Group to CentraSite for details.
CentraSite supports static groups and nested groups.
Note:
If you are using LDAP, note that only the "recurse up"
option is supported for group resolution. The "recurse down"
option is not supported.
When you import a group from CentraSite's external authentication system, CentraSite fetches the group's details from the authentication system and automatically synchronizes (updates) the group's membership on CentraSite.
Group synchronization occurs in the following cases:
When you initially import a group from the external authentication
system
This creates an externally managed custom group in CentraSite. When
such an externally managed custom group is created, CentraSite queries the
external system to determine which members of the group are registered users in
CentraSite. Those users become members of the externally managed custom group
on CentraSite.
When you add a user to CentraSite from the external
authentication system
Whenever a new user is added from the external authentication system,
CentraSite queries the external system to determine in which groups the user
is a member. If any of those groups have been imported into CentraSite, the
user is automatically added to the corresponding groups in CentraSite.
When a user is deleted from a group in the external authentication
system
The removal of a user from a group can be done only in
the external authentication system, and the change will be reflected in
CentraSite when the synchronization occurs.
Assume that the users User1, User2, User3, User4 and User5 are defined on the external authentication system, and do not belong to any group on the external authentication system. Assume that all of these users except User1 have already been imported from the external authentication system to CentraSite, but do not yet belong to any group in CentraSite. Now assume that a group called GroupA is created in the external authentication system, and GroupA has members User1, User2 and User3.
If GroupA is imported to CentraSite, the registered CentraSite users User2 and User3 become members of GroupA in CentraSite, as the membership of the group is maintained in external authentication system (User 1 is not registered in CentraSite, therefore it is not available as a member in Group A). We cannot add more users manually to GroupA in CentraSite, since CentraSite just refers to the external authentication system for the membership details. However, if User4 and User5 are added to GroupA in the external authentication system, they also become members of the GroupA in CentraSite when the automatic synchronization occurs.
In this scenario, User1 is not yet a member of GroupA in CentraSite, since User1 is not a registered user in CentraSite. To add User1 to the group in CentraSite, you need to define User1 as a user in CentraSite and associate this user with GroupA in the external authentication system.
To create and manage (i.e., view, edit and delete) groups for an organization, you must belong to a role that has the "Manage Users" permission for the organization. Users in the Organization Administrator role have this permission, although an administrator can assign this permission to other roles.
Note:
Users that belong to a role that includes the "Manage
Organizations" permission have the "Manage
User" permission by implication. Such users can create and mange
groups in any organization to which their "Manage Organizations
" permission applies.
There are three ways in which you can create custom groups in CentraSite:
To create a locally managed group, see Adding a Locally Managed Custom Group Using the Add Group Button.
To create an externally managed group, see Adding an Externally Managed Custom Group to CentraSite.
To import multiple groups from the external authentication system, see Bulk Loading Groups from the External Authentication System.
Use the following procedure to add a locally managed custom group to CentraSite.
To create a locally managed group
In CentraSite Control, go to .
Click .
In the Group Information panel, specify the following fields:
| In this field... | Do the following... |
|---|---|
| Name |
Enter a name for the new group. A group name can contain any character (including spaces). Note: |
| Description |
Optional. Enter a short description for the new group. This description appears when a user displays the list of groups on the CentraSite Control. |
| Organization | Specify the organization to which this group
belongs. (The drop-down list only displays organizations for which you have
"Manage Users" permission.)
Important: |
To add users to the group, do the following:
Click .
Select the users that you want to add to the group.
If you want to filter the list, type a partial string in the Search field. CentraSite applies the filter to the Name column.
| If you type... | CentraSite displays... |
|---|---|
b |
Names that contain "b" |
% |
All names |
Click .
Update the Roles profile as necessary to assign roles to this group. If you need procedures for this step, see Assigning Roles to a Group.
Important:
Verify that the Organization field
specifies the correct organization for this group before you proceed to the
next step.
Click .
Use the following procedure to add an externally managed custom group to CentraSite.
When performing this procedure, keep the following points in mind:
You do not need to assign a name to the group. The group name will be imported from the external authentication system. (If you assign a name in the group's Name attribute, it will be overwritten.)
Do not assign users to the group using the Users tab. The members of this group will be specified by the external authentication system. (If any users appear on the Users profile when you perform this procedure, those users will be removed from the group.)
If you have a locally managed group that you would like to switch to an externally managed group, you can open the group and then execute the following procedure starting with step 4. Be aware, however, that the group's current name and membership will be replaced by the name and membership of the imported group.
To create an externally managed custom group
In CentraSite Control, go to .
The Groups page displays the list of system and custom groups for which you have permission.
Click .
In the Organization field, specify the organization to which this group belongs. (The drop-down list only displays organizations for which you have "Manage Users" permission.)
Important:
Choose the organization carefully. You cannot change this
assignment after the group is created.
Click Associate.
In the Associate Group dialog box, select the groups that you want to add to CentraSite.
If CentraSite is configured to authenticate users using the local OS user database and you need procedures for this step, see Selecting Users or Groups from the Local OS User Database.
If CentraSite is configured to authenticate users using Active Directory or LDAP and you need procedures for this step, see Selecting Users or Groups from an Active Directory or LDAP Server.
Important:
Choose the external group with care. You cannot change
this association after the group is created.
In the Description field, specify a descriptive comment or remark (optional).
Update the Roles profile as necessary to assign roles to this group. If you need procedures for this step, see Assigning Roles to a Group.
Click .
You use the following procedure to add groups through the bulk load option. By this procedure, you can add one or more group(s) in a single step to your organization or to another specified organization.
To create group(s) and save it to CentraSite
In CentraSite Control, go to .
CentraSite displays the list of groups for which you have permission.
Click the button.
In the Bulk Load Groups from External Source dialog box, select the groups that you want to add to CentraSite.
If CentraSite is configured to authenticate users using the local OS user database and you need procedures for this step, see Selecting Users or Groups from the Local OS User Database.
If CentraSite is configured to authenticate users using Active Directory or LDAP and you need procedures for this step, see Selecting Users or Groups from an Active Directory or LDAP Server.
In the field Import to Organization, specify the organization into which the groups will be added.
Scroll through the groups list to confirm that the groups you selected were added successfully.
Examine each new group and update its Description field and its Roles profile as necessary.
You use the Groups page to view the list of groups.
To view the groups list
In CentraSite Control, go to to view the list of all groups that exist in CentraSite.
The Groups page provides the following information about each group:
| Column | Description | |
|---|---|---|
| Name | The name of the group. | |
| Organization | The name of the organization to which the group belongs. | |
| Description | A short description about the group. | |
You use the Edit Group page to examine and/or edit the attributes of a group. When editing a group, keep the following points in mind:
You cannot modify the system-defined groups (i.e., Everyone, Users and Members).
You cannot modify the name or membership of an externally managed group.
To view or edit the properties of a group
In CentraSite Control, go to .
Locate the group whose attributes you want to view or edit.
From the group's context menu, select the Details command.
Examine or modify the properties on the Edit Group page as required.
| Field | Description |
|---|---|
| Name |
The name of the group. A group name can contain any character (including spaces). |
| Description | Additional comments or descriptive information about the group. |
| Organization |
Read-only.. The organization to which this group belongs. |
| Associated with External Group | The group on the external authentication system with which this group is managed. If an external group has already been associated with this group, this field cannot be modified. If an external group has not been associated with the group, you can use the button to associate an external group with it. Doing this will switch the group from a locally managed group to an externally managed group. The group's current name and member ship will be replaced by the name and membership information from the external group. |
| Users |
The settings on this profile identify the users that are assigned to the group. To edit this list, see Modifying the Membership of a Group |
| Roles |
The settings on this profile identify the roles that are assigned to the group. To edit this tab, see Assigning Roles to a Group |
If you have edited the settings on the Edit Group page, click to save the updated group.
Use the following procedure to modify the membership of a locally managed custom group.
Note:
You cannot modify the membership of a system group or an externally
managed group. System groups are automatically maintained by CentraSite.
Externally managed groups are maintained by the administrators of the external
authentication system.
To modify the membership of a group
Open the Edit Group page for the group whose membership you want to modify. If you need procedures for this step, see Viewing or Editing the Attributes of a Group.
On the Edit Group page, choose the Users profile and, do the following:
To add users to the group, click and select the users that you want to add to the custom group. If you need procedures for this step, refer to the user-selection steps in Adding a Locally Managed Custom Group to CentraSite.
To remove users from the group, select the users that you want to remove and click .
When you have finished your edits, click to save the updated group.
Assigning roles to a group confers the permissions associated with the role to each member of the group.
To assign roles to a group
Open the Edit Group page for the group whose role assignments you want to modify. If you need procedures for this step, see Viewing or Editing the Attributes of a Group.
On the Edit Group page, choose the Roles profile and do the following:
To assign roles to the group, click and select the roles that you want to give to the group.
To remove roles from a group, select the roles that you want to remove and click .
Click to save the updated group.
You use the Groups page to delete one or more custom groups. When deleting a group, keep the following points in mind:
Deleting a group from CentraSite does not delete the associated group from the external authentication system.
You cannot delete a system-defined group (not even if you belong to the CentraSite Administrator role).
To delete a group
In the CentraSite Control, go to to display the groups list.
Enable the checkbox next to the name of the group that you want to delete.
Click .
When you are prompted to confirm the delete operation, click .
Group is permanently removed from the CentraSite registry/repository. If the group was associated with a group definition in the external authentication system, the group in the external system is not affected.
You can delete multiple groups in a single step. The rules described above for deleting a single group apply also when deleting multiple groups.
Important:
If you have selected several groups where one or more of them
are system groups, you can use the button to
delete the groups. However, as you are not allowed to delete predefined groups,
only groups you have permission for will be deleted. The same applies to any
other groups for which you do not have the required permission.
To delete multiple groups in a single operation
In CentraSite Control, go to to display the groups list.
Mark the checkboxes of the groups that you want to delete.
From the Actions menu, choose Delete.
When you are prompted to confirm the delete operation, click .
The selected group is permanently removed from the CentraSite registry. If the group was associated with a group definition in the external authentication system, the group in the external system is not affected.
