You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Groups Page

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Users access the Groups page in Resource Admin by selecting Groups from the Resource Type menu. This page is a user-friendly interface designed to simplify group management. It provides users with various tabs, views, and controls for interacting with, creating, and updating groups and group memberships.

Once on the Groups page, users can search for specific groups and manage those objects as needed.

Searching for Groups

Each object in the EmpowerID Identity Warehouse has a SearchTerms property with a specific set of search values that can be used to return all objects matching those values. For groups, SearchTerms encompass the Name, FriendlyName, Email, EmpowerIDName, EmpowerIDFriendlyName, LogonName, NetBiosName, FQN, DistinguishedName, and Description properties. When used, the API returns all groups where the specified search value finds a match in any of those properties. For example, if the search value is set to “admin,” the API would return all the following groups

  • Any group with a match in the name

  • Any group with a match in the friendly name

  • Any group with a match in the email address

  • Any group with a match in the EmpowerID name

  • Any group with a match in the EmpowerID friendly name

  • Any group with a match in the logon name

  • Any group with a match in the Net BIOS name

  • Any group with a match in the FQN

  • Any group with a match in the Distinguished Name

  • Any group with a match in the description

Group Search Filters

When users select Groups as the resource type, an API call is made to return records for all groups the current user can view. The amount of records returned can be substantial depending on the number of managed groups and the user's access. To help users easily find the right group, Resource Admin provides several filters that can be used with or without the above-mentioned search terms to narrow search options. Multiple filters can be used for more granular searching.

Filter

Description

Owned By

This filter provides users with options to list groups based on ownership. Options include:

  • Anybody – View all groups

  • Myself – View only groups owned by the user

  • Someone Else – View only groups owned by the specified person

Users must have the appropriate role assignment to see the Owned By filter.

Target System

This filter provides users with options to list only those groups belonging to the selected account store type and/or account store.

  • Select Account Store Type allows you to filter groups to display only those belonging to Account Stores configured with the selected Account Store Type.

  • Select Account Store allows you to filter groups to display only those belonging to the selected Account Store. The filter is used in conjunction with the selected Account Store Type filter to display groups belonging to the selected account store.

 

Applications

This filter provides users with the option to filter groups to display only those belonging to the selected application.

Location

This filter provides users with the option to filter groups to display only those belonging to the selected location.

Business Functions

This filter provides users with the option to filter groups to display only those granting members of the group the selected business function.

Rights

This filter provides users with the option to filter groups to display only those granting members of the group the selected rights.

Advanced Search

Provides advanced search capabilities to further filter groups based on one or more of the selected attributes.

  • Name

  • Technical Name

  • High Level Classification

  • Group Type

  • Description

Interacting with Groups

Each group listed in Resource Admin has a record that provides users with context for interacting with the group. Each group record has a Details link that directs users to the Details view for the selected group. The view provides a number of tabs that users can navigate to review and manage information about the group. Group records also include a contextual workflow button {⚙️} that users with the appropriate access can click to initiate the “Manage Group Wizard” workflow, as shown below.

 

 

Clicking the Details button for a group directs users to the Overview page. This page provides access to more in-depth information about the group with navigable tabs for managing aspects of it.


Members

The Members tab grants access to view and manage the membership of the selected group. 

The following functionality is available to delegated users from this tab:

  • View current group membership

  • Add new group members

  • Remove current group members

Membership Changes

The Membership Changes tab grants access to view the history of membership changes occurring to the group.

The following information is available to delegated users from this tab:

  • View detailed information about existing app certificates

  • Request access to app certificates

  • Check out app certificates

  • Add new client certificates

  • Delete existing client certificates

  • Run the Manage Credential Wizard workflow

 

Scopes

The Scopes tab grants access to view and manage scopes for Azure applications.

The following functionality is available to delegated users from this tab:

  • View detailed information about existing scopes

  • Add new scopes to the application

  • Delete scopes from the application

 

API Permissions

The API Permissions tab grants access to view and manage the delegated and applications permissions for Azure applications.

 

The following functionality is available to delegated users from this tab:

  • View detailed information about existing API permissions

  • Add new API permissions to the application

  • Delete existing API permissions from the application

 

Token Configurations

The Token Configurations tab grants access to view and manage the claims for Azure applications.

The following functionality is available to delegated users from this tab:

  • View detailed information about existing claims

  • Add claims to the application

  • Remove claims from the application

 

App Rights (Azure “App Roles”)

The App Rights (Azure “App Roles”) tab grants access to view and manage app rights for Azure applications.

The following functionality is available to delegated users from this tab:

  • View detailed information about existing app rights

  • Create new app rights for the application

  • Delete app rights from the application

  • View app right assignments

  • Assign app rights to users

  • Remove app rights from users

  • View people with app rights to the application

 

Role Definitions

The Role Definitions tab grants access to view and manage app role definitions for Azure applications.

The following functionality is available from this tab:

  • View detailed information about existing app role definitions

  • Create app role definitions for the application

  • Delete app role definitions from the application

  • View app role assignments

  • Assign app roles to users

  • Remove app roles from users

  • View people with app roles

 

App Management Roles

The Role Definitions tab grants access to view and manage App Management Roles for Azure applications.

The following functionality is available from this tab:

  • View detailed information about existing app Management Roles

  • Create app Management Roles

  • Delete app Management Roles

  • View people assigned to Management Roles as members

  • View direct access granted to the Management Roles

  • View total access granted to the Management Roles

 

Actions

The Actions tab grants access to contextual workflows related to the selected application tab. For example, when on the Overview tab, the Actions tab displays links to initiate the Manage Azure Application Wizard and the Update Azure Application API Permissions workflows, whereas when on the Client Secrets tab, the Actions tab displays links to initiate the Delete Azure Application Client Secrets workflow.

 

Claims Mapping Policies (CMP) are used in Azure AD to control and manage the identity information sent to an application when a user signs in. If your organization uses CMP with your applications, you can manage them by selecting the Claims Mapping Policies tab. This tab only appears for Azure apps.

 

Claims Mapping Policies Search Filters

As with Azure applications, users can employ search filters for Claims Mapping Policies. Multiple filters can be used for more granular searching.

Filter

Description

Target System

This filter provides users with options to list only those Claims Mapping Policies belonging to applications in the selected account store type and/or account store.

  • Select Account Store Type allows you to filter Claims Mapping Policies to display only those belonging to Account Stores configured with the selected Account Store Type.

  • Select Account Store allows you to filter Claims Mapping Policies to display only those belonging to the selected Account Store. The filter is used in conjunction with the selected Account Store Type filter to display Claims Mapping Policies belonging to the selected account store.

 

Include Basic Claim Set

 

This filter provides users with options to list Claims Mapping Policies meeting the following criteria:

  • All – Returns all Claims Mapping Policies

  • Yes – Returns Claims Mapping Policies that have a basic claim set

  • No – Returns Claims Mapping Policies that do not have a basic claim set

Advanced Search

 

Provides advanced search capabilities to further filter Claims Mapping Policies.

As with Azure applications, clicking the Details button for a PBAC application directs users to the Overview page. This page provides access to more in-depth information about the application and navigable tabs for managing aspects of it.

 

PBAC Assignments

The PBAC Assignments tab grants access to view and manage PBAC Definition assignments for PBAC applications.

 

The following functionality is available from this tab:

  • Assign Role Definitions

  • Delete Role Definitions

  • View people with Role Definition assignments for the application

  • Edit the Role Definition assignments for people

 

PBAC Definitions

The PBAC Assignments tab grants access to view and manage PBAC Definition assignments for PBAC applications.

 

The following functionality is available from this tab:

  • App Rights

    • View detailed information about existing App Rights

    • Create App Rights

    • Delete App Rights from the application

    • Assign App Rights

  • App Role Definitions

    • View detailed information about existing App Role Definitions

    • Create App Role Definitions

    • Delete App Role Definitions

    • Add App Rights to App Role Definitions

    • Remove App Rights from App Role Definitions

  • App Management Roles

    • Create App Management Roles

    • Delete App Management Roles

  • PBAC Resource Types

    • Create Resource Types

    • Edit Resource Types

    • Delete Resource Types

Application Workflows Page

The Workflows page provides authorized users access to application workflows. The below image shows the workflows available for applications.

 

  • No labels