Users can access the Groups page in within Resource Admin by selecting 'Groups' from the Resource Type menu. This page is a user-friendly interface designed to simplify interface is structured to facilitate efficient group management. It provides users with offers various tabs, views, and controls for interacting that enable users to interact with, creatingcreate, and updating update groups and group their memberships.
...
Once
Features Available on the Groups Page
Upon navigating to the Groups page, users can have the capability to search for specific groups based on defined criteria and manage those objects these groups as needednecessary.
Searching for Groups
Each Every object in the EmpowerID Identity Warehouse has a SearchTerms property with a specific , including groups, is associated with a 'SearchTerms' property. This property contains a set of search values that tailored to each object type, which can be used to return find all matching objects matching those values. For groups, SearchTerms encompass the Name, FriendlyName, Email, EmpowerIDName, EmpowerIDFriendlyName, LogonName, NetBiosName, FQN, DistinguishedName, and Description properties. When used, the API returns all groups where the specified search value finds a match in any of those properties. For example, if the search value is set to “admin,” the API would return all the following groups
Any group with a match in the name
Any group with a match in the friendly name
Any group with a match in the email address
Any group with a match in the EmpowerID name
Any group with a match in the EmpowerID friendly name
Any group with a match in the logon name
Any group with a match in the Net BIOS name
Any group with a match in the FQN
Any group with a match in the Distinguished Name
Any group with a match in the description
...
Group Search Filters
When users select Groups as the resource type, an API call is made to return records for all groups the current user can view. The amount of records returned can be substantial depending on the number of managed groups and the user's access. To help users easily find the right group, Resource Admin provides several filters that can be used with or without the above-mentioned search terms to narrow search options. Multiple filters can be used for more granular searchingthe 'SearchTerms' property includes a range of attributes:
Name
FriendlyName
Email
EmpowerIDName
EmpowerIDFriendlyName
LogonName
NetBiosName
FQN (Fully Qualified Name)
DistinguishedName
Description
Using these search terms, the API fetches all groups where the input search value corresponds to any of these attributes. For instance, inputting “admin” as a search value will prompt the API to return groups that match this value across any of the listed attributes, such as groups with 'admin' in their name, friendly name, email address, or other specified properties.
...
Group Search Filters
Upon selecting 'Groups' as the resource type, the system initiates an API call to retrieve all group records accessible to the current user. Given the potentially large volume of records, especially in environments with numerous managed groups or extensive user access rights, navigating through these records can be challenging.
To streamline the search process, Resource Admin incorporates a range of search filters. These filters are designed to refine the search results and can be employed in conjunction with or independently of the previously mentioned search terms. The availability of multiple filters supports granular searching, allowing users to pinpoint specific groups based on various criteria.
Filter | Description | ||
|---|---|---|---|
Owned By   | This filter provides users with options to list groups based on ownership. Options include:
| ||
Target System   | This filter provides users with options to list only those groups belonging to the selected account store type and/or account store.
| ||
Applications   | This filter provides users with the option to filter groups to display only those belonging to the selected application. | ||
Location   | This filter provides users with the option to filter groups to display only those belonging to the selected location. | ||
Business Functions   | This filter provides users with the option to filter groups to display only those granting members of the group the selected business function. | ||
Rights   | This filter provides users with the option to filter groups to display only those granting members of the group the selected rights. | ||
Advanced Search   | Provides advanced search capabilities to further filter groups based on one or more of the selected attributes.
|
Interacting with Groups
Each group listed in In Resource Admin has a , every group is represented by a specific record that provides equips users with essential context for interacting with the group. Each group record has a Details link that directs users to the Details view interaction. To access more detailed information about a group, users can utilize the 'Details' link present in each group record. Clicking this link navigates users to a Details view tailored for the selected group. The view provides a number of tabs that users can navigate to review and manage information about the group. Group records also include a contextual workflow button {⚙️} that users with the appropriate access can click to initiate the “Manage Group Wizard” workflow, as shown below.
...
Within the Details view, various tabs are available, enabling users to comprehensively review and manage diverse aspects of the group. These tabs facilitate actions such as modifying group attributes, managing memberships, and reviewing group activity.
Additionally, each group record features a contextual workflow button (symbolized by the gear icon). Users granted the necessary permissions can engage this button to activate the 'Manage Group Wizard' workflow.
...
Clicking the 'Details' button for a group directs users to the Overview page. This page provides access to more in-depth offers comprehensive information about the group thegroup, with navigable tabs designed for managing different aspects of itthe group, including its configuration, associated tasks, and user assignments.
...
Members
The Members tab grants access to view and manage the membership of the selected group.
...
The following functionality is available to delegated users from this tab:
View current group membership
Add new group members
Remove current group members
Membership Changes
The Membership Changes tab grants access to view the history of membership changes occurring to the group.
...
The following information is available to delegated users from this tab:
View detailed information about existing app certificates
Request access to app certificates
Check out app certificates
Add new client certificates
Delete existing client certificates
Run the
Manage Credential Wizardworkflow
Scopes
The Scopes tab grants access to view and manage scopes for Azure applications.
...
The following functionality is available to delegated users from this tab:
View detailed information about existing scopes
Add new scopes to the application
Delete scopes from the application
API Permissions
The API Permissions tab grants access to view and manage the delegated and applications permissions for Azure applications.
...
The following functionality is available to delegated users from this tab:
View detailed information about existing API permissions
Add new API permissions to the application
Delete existing API permissions from the application
Token Configurations
The Token Configurations tab grants access to view and manage the claims for Azure applications.
...
The following functionality is available to delegated users from this tab:
View detailed information about existing claims
Add claims to the application
Remove claims from the application
App Rights (Azure “App Roles”)
The App Rights (Azure “App Roles”) tab grants access to view and manage app rights for Azure applications.
...
The following functionality is available to delegated users from this tab:
View detailed information about existing app rights
Create new app rights for the application
Delete app rights from the application
View app right assignments
Assign app rights to users
Remove app rights from users
View people with app rights to the application
Role Definitions
The Role Definitions tab grants access to view and manage app role definitions for Azure applications.
...
The following functionality is available from this tab:
View detailed information about existing app role definitions
Create app role definitions for the application
Delete app role definitions from the application
View app role assignments
Assign app roles to users
Remove app roles from users
View people with app roles
App Management Roles
The Role Definitions tab grants access to view and manage App Management Roles for Azure applications.
The following functionality is available from this tab:
View detailed information about existing app Management Roles
Create app Management Roles
Delete app Management Roles
View people assigned to Management Roles as members
View direct access granted to the Management Roles
View total access granted to the Management Roles
Actions
The Actions tab grants access to contextual workflows related to the selected application tab. For example, when on the Overview tab, the Actions tab displays links to initiate the Manage Azure Application Wizard and the Update Azure Application API Permissions workflows, whereas when on the Client Secrets tab, the Actions tab displays links to initiate the Delete Azure Application Client Secrets workflow.
...
Claims Mapping Policies (CMP) are used in Azure AD to control and manage the identity information sent to an application when a user signs in. If your organization uses CMP with your applications, you can manage them by selecting the Claims Mapping Policies tab. This tab only appears for Azure apps.
...
Claims Mapping Policies Search Filters
As with Azure applications, users can employ search filters for Claims Mapping Policies. Multiple filters can be used for more granular searching.
...
Filter
...
Description
...
Target System
...
This filter provides users with options to list only those Claims Mapping Policies belonging to applications in the selected account store type and/or account store.
Select Account Store Type allows you to filter Claims Mapping Policies to display only those belonging to Account Stores configured with the selected Account Store Type.
Select Account Store allows you to filter Claims Mapping Policies to display only those belonging to the selected Account Store. The filter is used in conjunction with the selected Account Store Type filter to display Claims Mapping Policies belonging to the selected account store.
...
Include Basic Claim Set
...
...
This filter provides users with options to list Claims Mapping Policies meeting the following criteria:
All – Returns all Claims Mapping Policies
Yes – Returns Claims Mapping Policies that have a basic claim set
No – Returns Claims Mapping Policies that do not have a basic claim set
...
Advanced Search
...
...
Provides advanced search capabilities to further filter Claims Mapping Policies.
As with Azure applications, clicking the Details button for a PBAC application directs users to the Overview page. This page provides access to more in-depth information about the application and navigable tabs for managing aspects of it.
...
PBAC Assignments
The PBAC Assignments tab grants access to view and manage PBAC Definition assignments for PBAC applications.
...
The following functionality is available from this tab:
Assign Role Definitions
Delete Role Definitions
View people with Role Definition assignments for the application
Edit the Role Definition assignments for people
PBAC Definitions
The PBAC Assignments tab grants access to view and manage PBAC Definition assignments for PBAC applications.
...
The following functionality is available from this tab:
App Rights
View detailed information about existing App Rights
Create App Rights
Delete App Rights from the application
Assign App Rights
App Role Definitions
View detailed information about existing App Role Definitions
Create App Role Definitions
Delete App Role Definitions
Add App Rights to App Role Definitions
Remove App Rights from App Role Definitions
App Management Roles
Create App Management Roles
Delete App Management Roles
PBAC Resource Types
Create Resource Types
Edit Resource Types
Delete Resource Types
Application Workflows Page
The Workflows page provides authorized users access to application workflows. The below image shows the workflows available for applications.
...
In the Resource Admin system, the 'Members' tab is specifically designed for group membership management. This tab allows users, particularly those with delegated privileges, to carry out various tasks related to the membership of a selected group.
Key functionalities accessible within this tab include:
View Current Group Membership: Users can view a list of all current members of the group. This feature is essential for monitoring the group's composition and ensuring that it aligns with current organizational needs.
Add New Group Members: This functionality enables the addition of new members to the group. Users can select and add individuals as needed, facilitating dynamic group management.
Remove Current Group Members: Users can also remove members from the group. This capability is crucial for maintaining the relevance and efficiency of the group, allowing for the timely removal of members who no longer need access or whose roles have changed.
...
Membership Changes
The 'Membership Changes' tab within Resource Admin is tailored for tracking and reviewing the history of membership changes within a specific group. This tab is especially useful for delegated users who need to monitor and audit group membership over time.
Key features available in this tab include:
Viewing Membership Change History: Users can access a detailed log of all membership changes that have occurred in the group. This includes information on when members were added or removed, along with details about the members involved.
Audit Trail for Membership Changes: The tab provides an audit trail, enabling users to review changes for compliance and internal control purposes. This includes timestamps, user IDs of those who made the changes, and a description of the change.
Filter and Search Capabilities: To aid in navigating the membership change history, users can employ filters and search functions. This allows for the quick retrieval of specific change events based on criteria such as date range, member name, or type of change.
...
RBAC Assignments
The 'RBAC Assignments' tab grants users the ability to view and manage the RBAC access assignments granted to the group. This tab is crucial for administrators who need to manage and audit access controls within group settings.
Functionalities available to users with delegated permissions in this tab include:
Viewing Detailed Information About Existing RBAC Access Assignments: Administrators can delve into the details of all RBAC access assignments that are currently linked to the group. This is vital for a comprehensive understanding of the group's access privileges and ensuring they align with organizational security policies and the group's specific roles.
Adding New RBAC Access Assignments to the Group: This feature enables the extension or alteration of the group's access capabilities. By adding new RBAC assignments, administrators can adapt the group's access rights to evolving needs or responsibilities within the organization.
Deleting Current RBAC Access Assignments from the Group: The ability to remove existing RBAC access assignments is also available.
...
Nested Group Members
The 'Nested Group Members' tab in the Resource Admin system is designed for administrators to manage the composition of nested groups within a parent group. This feature is particularly useful in complex organizational structures where groups are hierarchically organized.
Functionalities available to users with delegated permissions in this tab include:
Viewing Detailed Information About Existing Nested Group Members: Administrators can access in-depth information about the groups nested within the current group. This view is essential for understanding the hierarchical structure and the relationships between different groups.
Adding New Nested Group Members: This function allows for the incorporation of new groups into the nested structure of the current group. It facilitates the expansion or reorganization of group hierarchies to align with evolving organizational needs or objectives.
Deleting Existing Nested Group Members: Administrators can also remove groups from the nested structure. This capability is crucial for maintaining an up-to-date and efficient group hierarchy, ensuring that only relevant groups remain part of the nested arrangement.
...
Actions
The 'Actions' tab is designed to provide users with quick access to contextual workflows that are relevant to the currently selected tab. For instance, when a user is viewing the Overview tab, the Actions tab dynamically updates to display an action link that initiates the 'Manage Group Wizard' workflows. This dynamic adaptation ensures that users have the most relevant tools at their fingertips, tailored to their current context within the Groups page of the application.
...
Group Workflows Page
On the Groups Workflows Page, authorized users can access several workflows specifically designed for managing groups. This page acts as a centralized hub for these workflows, streamlining the process of locating and initiating various tasks.
...
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|