You can create groups, add members to groups, and entitle groups to applications that are in the catalog.

Use groups to entitle more than one user to the same resources at the same time, instead of entitling each user individually.

You use group rules to define which users are members of a particular group. A user can belong to multiple groups. For example, if you create a Sales group and a Management group, a sales manager can be a member of both groups.

1

In the administration console, select User & Groups.

2

Click Create Group.

3

Enter the group name and a description of the group. Click Add.

4

After the group is created, return to the the Groups page and select the group you created.

5

To add members to the group, select Users in This Group.

6

Click Modify Users in This Group.

7

From the drop-down menu, select how group membership should be granted.

Option

Action

Any of the following

Grants group membership when any of the conditions for group membership are met. This option works like an OR condition. For example, if you select Any of the following for the rules Group Is Sales and Group Is Marketing, sales and marketing staff are granted membership to this group.

All of the following

Grants group membership when all of the conditions for group membership are met. This works like an AND condition. For example, if you select All of the following for the rules Group Is Sales and Email Starts With 'western_region', only sales staff in the western region are granted membership to this group. Sales staff in other regions are not granted membership.

8

Configure one or more rules for your group. You can nest rules.

Option

Action

Group

Select Is to choose a group to associate with this group. Type a group name in the text box. As you type, a list of group names appears.

Select Is Not to choose a group to exclude from this group. Type a group name in the text box. As you type, a list of group names appears.

Attribute Rules

The following rules are available for all attributes, including default attributes and any additional custom attributes that your enterprise configured. Examples of attributes are email and phone.

Note

Rules are not case-sensitive.

Select Matches to grant group membership for directory server entries that exactly match the criteria you enter. For example, your organization might have a business travel department that shares the same central phone number. If you want to grant access to a travel booking application for all employees who share that phone number, you can create a rule such as Phone Matches (555) 555-1000.

Select Does Not Match to grant group membership to all directory server entries except those that match the criteria you enter. For example, if one of your departments shares a central phone number, you can exclude that department from access to a social networking application by creating a rule such as Phone Does Not Match (555) 555-2000. Directory server entries with other phone numbers have access to the application.

Select Starts With to grant group membership for directory server entries that start with the criteria you enter. For example, your organization's email addresses might begin with the departmental name, such as sales_username@example.com. If you want to grant access to an application to everyone on your sales staff, you can create a rule, such as Email Starts With sales_.

Select Does Not Start With to grant group membership to all directory server entries except those that start with the criteria you enter. For example, if the email addresses of your human resources department are in the format hr_username@example.com, you can deny access to an application by setting up a rule, such as Email Does Not Start With hr_. Directory server entries with other email addresses have access to the application.

Any of the following

Group membership to be granted when any of the conditions for group membership are met for this rule. This is a way to nest rules. For example, you can create a rule that says All of the following: Group Is Sales; Group is California. For Group is California, Any of the following: Phone Starts With 415; Phone Starts With 510. The group member must belong to your California sales staff and have a phone number that starts with either 415 or 510.

All of the following

All of the conditions to be met for this rule. This is a way to nest rules. For example, you can create a rule that says Any of the following: Group Is Managers; Group is Customer Service. For Group is Customer Service, all of the following: Email Starts With cs_; Phone Starts With 555. The group members can be either managers or customer service representatives, but customer service representatives must have an email that starts with cs_ and a phone number that starts with 555.

9

(Optional) Specify individual users to add to or exclude from this group by checking the appropriate check box and typing the user names.

10

Click Next, and click Save.

Select Entitlements to add resources for the groups use.