Role-Based Group Memberships

EmpowerID allows you to dynamically assign users to groups using role-based delegations. Assignees can be any EmpowerID Actor type, such as Business Role and Location combinations, Management Roles, Query-Based Collections and other groups. This topic demonstrates this by creating a dynamic group membership for anyone assigned to a specific Business Role and Location. In this way, any person who belongs to the Business Role and Location is automatically added to the group as a member.

This topic demonstrates how to create a dynamic group membership and is divided into the following activities:

Prerequisites

In order to create a dynamic group membership as described by this topic, the following prerequisites must be met:

  • EmpowerID must be connected to Active Directory. For a detailed walkthrough describing how to connect EmpowerID to Active Directory, see Connecting to Active Directory.
  • Group Membership Reconciliation must be enabled for the account store with the groups.
  • One server must be configured with either the All-in-One Server server role (for smaller environments running only one EmpowerID server) or the Application Server server role. For information on configuring server roles, see the Getting Started with Directory Systems topic under Integrations.
  • The group for which you are creating a dynamic group membership must exist in EmpowerID.
  • The Business Role and Location or other EmpowerID actor type being targeted for dynamic group membership must exist in EmpowerID.
  • Additionally, to verify group membership, users must belong to the Business Role and Location or other EmpowerID actor type targeted for dynamic group membership.

To create role-based group memberships

  1. In the navigation sidebar, expand Identity Administration and click Manage Delegations.
  2. On the Actor Delegations tab (selected by default), from the drop-down list, select an actor type. In our example, we select Business Role and Location.



  3. Search for and select a business role from the Business Role tree and then search for and select a location from the Location tree. In our example, we select the Regional Finance business role and the Ohio location. In this way, any person who is in regional finance in or below the Ohio location is dynamically added to the target group as a member.

    Please note that the people must in the Business Role and Location must have user accounts linked to their Person in order to be added to the group.




  4. In the Assignment Type drop-down, leave the default value of Direct.
  5. On the Assignments grid, click the Add Assignments (+) button.



  6. In the dialog that appears, do the following:
    1. Set the Resource Type to Group (Generic).
    2. In the Enter a Group (Generic) Name to Search field, type the name of the group for which to create dynamic membership and then click the tile for that group. In our example, we select the AWSAdmins group.
    3. Set the Access Level to Member.
    4. Optionally, select Time Constrained to add a time constraint to the Access Level assignment so the assignment is only effective during the specified time period or on specified days.
    5. Click Save to add the policy to your shopping cart.




  7. Click the Shopping Cart icon, type a reason for the assignment and then click Submit.




     

To verify the group membership in EmpowerID

  1. In the navigation sidebar, expand Identity Administration and click Groups.
  2. Search for the Group for which you created the dynamic membership and then click the Logon Name link for that group.
  3. Expand the Group Members accordion to see the user accounts added to the group.



To verify the group membership in Active Directory

  1. Open Active Directory Users and Computers and search for the group you targeted for dynamic group membership.
  2. Open the Properties window for the group and click the Members tab to see the user accounts added to the group as members.