Internal User GroupsInternal User Groups

You can add users and user groups from external identity sources to a user group in the internal database. This offers the following benefits:

• Improved authentication performance for users in an external identity source.

  Including these users directly in a group in the internal database reduces the need to access the external identity source when these users authenticate, which reduces network traffic to the directory server. Users in member groups within a user group do not benefit from this improved performance.

• Greater control over organizing users, especially users in an LDAP directory, where you cannot use the Security Console to control the group structure of the directory.

• Reduces administrative burden for the following reasons:

  • You can create a single user group for a restricted agent, and include all the users you want to grant access to the agent, rather than create separate groups for each identity source.

  • When an LDAP administrator modifies a group in the LDAP directory, you can minimize or eliminate the need to reconfigure restricted agents because access is granted through user groups residing in the internal database, and is unaffected by modifications to groups in the directory.

Membership in user groups residing in external identity sources is still restricted to member users and member users groups residing in the same external identity source as the user group.

Nested User GroupsNested User Groups

When you configure user groups for restricted agents, you may want to add or “nest” multiple user groups within a single user group. This allows you to enable several groups on a restricted agent. Using nested groups eases the administrative burden of restricting access to authentication agents, but can affect authentication performance when groups are deeply nested or contain large numbers of users.

Nested user groups have the following characteristics:

• A user group in the internal database can contain user groups that reside in the internal database or an external identity source. A user group in an external identity source cannot contain user groups from any other identity source.

• You can nest user groups using one of the following means:

  • Using the Security Console to nest two or more user groups stored in the internal database.

  • Using the LDAP directory user interface to nest two or more user groups stored in the same external identity source.

  • Using the Security Console to nest a user group stored in an external identity source within a user group stored in the internal database.

• Members of nested groups inherit access to restricted agents from the parent user group that is granted access to the restricted agent. If a nested group is also granted access to the same agent, its members may have additional access permissions.

A user who is a member of a nested group can be granted access to a restricted agent for two reasons:

• Because the user is a member of a nested user group that has access to the restricted agent
• Because the user is a member of a user group that is nested in another user group that has access to a restricted agent

In general, members of nested user groups have the same access privileges as the parent user group. Members of the nested user group can access an agent when the group is nested inside another user group that can access the agent.

User Group User Group Organization Organization

You can organize groups according to your organizational needs:

• Geographic location. Groups can be created according to geography.

  • A city, state, or country

  • A region that includes several cities, states, or countries

• Company divisions. Groups can be created according to functional areas in a company.

  • Department

  • Project

  • Job

• Resources. Groups can be created according to particular resources.

  • Research and development files

  • Medical records

User Group CharacteristicsUser Group Characteristics

User groups have the following characteristics:

• Each user group is stored in an identity source, either an LDAP directory or the internal database.

• Each user group is associated with a security domain.

• A user group can contain multiple users and user groups.

  User groups stored in an external identity source can contain only users and user groups contained in that identity source.

• A user group can include users and user groups that are managed in different security domains.

  For example, users in security domain A and users in security domain B can both be members of the same user group and thus access the same protected resources.

• User group names must be unique within a single identity source.

  Authentication Managercan have two user groups with the same name if they are stored in two different identity sources.

• Administrators can move user groups between security domains to transfer administrative responsibility for the group to a different administrator.

  For instructions,see Move User Groups Between Security Domains.

• A user or user group can be a member of more than one user group.

• You can add and remove a user from user group using the User Dashboard page.

  For instructions,see User Dashboard.

Creating Creating User GroupsUser Groups

You can create user groups in the following ways:

To create a user group in the internal database, use the Security Console. For instructions, see Add a User Group and Add a User to a User Group.

To create a user group in an external identity source, use the LDAP directory native interface.

Internal User GroupsInternal User Groups

You can add users and user groups from external identity sources to a user group in the internal database. This offers the following benefits:

• Improved authentication performance for users in an external identity source.

  Including these users directly in a group in the internal database reduces the need to access the external identity source when these users authenticate, which reduces network traffic to the directory server. Users in member groups within a user group do not benefit from this improved performance.

• Greater control over organizing users, especially users in an LDAP directory, where you cannot use the Security Console to control the group structure of the directory.

• Reduces administrative burden for the following reasons:

  • You can create a single user group for a restricted agent, and include all the users you want to grant access to the agent, rather than create separate groups for each identity source.

  • When an LDAP administrator modifies a group in the LDAP directory, you can minimize or eliminate the need to reconfigure restricted agents because access is granted through user groups residing in the internal database, and is unaffected by modifications to groups in the directory.

Membership in user groups residing in external identity sources is still restricted to member users and member users groups residing in the same external identity source as the user group.

Nested User GroupsNested User Groups

When you configure user groups for restricted agents, you may want to add or “nest” multiple user groups within a single user group. This allows you to enable several groups on a restricted agent. Using nested groups eases the administrative burden of restricting access to authentication agents, but can affect authentication performance when groups are deeply nested or contain large numbers of users.

Nested user groups have the following characteristics:

• A user group in the internal database can contain user groups that reside in the internal database or an external identity source. A user group in an external identity source cannot contain user groups from any other identity source.

• You can nest user groups using one of the following means:

  • Using the Security Console to nest two or more user groups stored in the internal database.

  • Using the LDAP directory user interface to nest two or more user groups stored in the same external identity source.

  • Using the Security Console to nest a user group stored in an external identity source within a user group stored in the internal database.

• Members of nested groups inherit access to restricted agents from the parent user group that is granted access to the restricted agent. If a nested group is also granted access to the same agent, its members may have additional access permissions.

A user who is a member of a nested group can be granted access to a restricted agent for two reasons:

• Because the user is a member of a nested user group that has access to the restricted agent
• Because the user is a member of a user group that is nested in another user group that has access to a restricted agent

In general, members of nested user groups have the same access privileges as the parent user group. Members of the nested user group can access an agent when the group is nested inside another user group that can access the agent.

Internal User GroupsInternal User Groups

Grouping users makes it easy to manage access to protected resources. A user group is a collection of users, other user groups, or both. Users and user groups that belong to a user group are called member users and member user groups.

User Group User Group Organization Organization

You can organize groups according to your organizational needs:

• Geographic location. Groups can be created according to geography.

  • A city, state, or country

  • A region that includes several cities, states, or countries

• Company divisions. Groups can be created according to functional areas in a company.

  • Department

  • Project

  • Job

• Resources. Groups can be created according to particular resources.

  • Research and development files

  • Medical records

User Group CharacteristicsUser Group Characteristics

User groups have the following characteristics:

• Each user group is stored in an identity source, either an LDAP directory or the internal database.

• Each user group is associated with a security domain.

• A user group can contain multiple users and user groups.

  User groups stored in an external identity source can contain only users and user groups contained in that identity source.

• A user group can include users and user groups that are managed in different security domains.

  For example, users in security domain A and users in security domain B can both be members of the same user group and thus access the same protected resources.

• User group names must be unique within a single identity source.

  Authentication Managercan have two user groups with the same name if they are stored in two different identity sources.

• Administrators can move user groups between security domains to transfer administrative responsibility for the group to a different administrator.

  For instructions,see Move User Groups Between Security Domains.

• A user or user group can be a member of more than one user group.

• You can add and remove a user from user group using the User Dashboard page.

  For instructions,see User Dashboard.

Creating Creating User GroupsUser Groups

You can create user groups in the following ways:

To create a user group in the internal database, use the Security Console. For instructions, see Add a User Group and Add a User to a User Group.

To create a user group in an external identity source, use the LDAP directory native interface.

Add a User Add a User GroupGroup

A user group is a collection of users or user groups, or both.

You can add user groups to the internal database. You do not need to add a user group that already exists in an external identity source. Groups in external identity sources are added when the identity source is linked.

You add user groups for the following reasons:

• To restrict which agents the user members can use to authenticate and the times that they can authenticate through the agent.

• To organize users into user groups based on criteria such as geographic location or job title. User groups can also contain other user groups, called member user groups. For example, an organization might add a member user group called Sales Managers to a user group called North America.

Procedure

1. In the Security Console, click Identity > User Groups > Add New.

2. From the Security Domain drop-down list, select the security domain to which you want to assign the new user group. The new user group is managed by administrators whose administrative scope includes this security domain.

3. In the User Group Name field, enter a unique name for the user group. Do not exceed 64 characters.

4. Click Save.

Search for User GroupsSearch for User Groups

Some fields are case sensitive. You can use the asterisk (*) as a wildcard character.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. On the Search panel, from the Security Domain drop-down list, select the security domain that you want to search.

3. From the Identity Source drop-down list, select the identity source that contains the user group record.

4. Use the Where fields to select the search criteria. For example, use the Where fields to enter "Name," "starts with," and "R" to search for user groups with names that start with R.

5. Click Search.

Add a User to a User Add a User to a User GroupGroup

A user group is a collection of users or user groups, or both.

You can add users from any identity source to a user group in the internal database only. To change the membership of a group in an external LDAP identity source you must use native tools.

You can organize users into user groups based on criteria such as geographic location or job title. You can also restrict which agents the user members can use to authenticate and the times that they can authenticate through the agent.

Select the checkbox next to the user group to which you want to add the user. You can select multiple checkboxes to add the user to more than one group.

Click Add to Group.

You can add users to a single user group or to multiple user groups.

Procedure

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user that you want to add to a user group. Some search fields are case sensitive.

3. Select the checkbox next to the user that you want to add to a user group.

4. From the Action menu, select Add to User Groups, and click Go.

5. Use the search fields to find the user group to which you want to add the user. Some search fields are case sensitive.

Edit User GroupsEdit User Groups

You can edit user groups for users whose accounts are in the internal database. Editing a user group allows you to change information such as the user group's name and security domain.

Before you begin

If a user group resides in an external LDAP identity source, you can edit the following fields only:

• Security Domain

• Notes

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Select the user group that you want to edit, and click Edit.

3. Make the necessary changes to the user group.

4. Click Save.

   If you have not saved your edits, you can click Reset to reset the user group to be as it was before you began editing.

Add Member User Groups to Other User GroupsAdd Member User Groups to Other User Groups

User groups in the internal database can contain other user groups, called member user groups. For example, an organization might add a member user group called Sales Managers to a parent user group called North America.

Make sure you follow these guidelines:

• Member user groups can belong to an LDAP identity source or to the internal database.

• The parent user group must belong to the internal database.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Select the user group to which you want to add other user groups.

3. From the Action menu, select Add Member User Groups, and click Go.

4. Select the checkbox next to the user groups that you want to add.

5. Click Add to Group.

Delete User GroupsDelete User Groups

You can delete user groups that are stored in the internal database. You can delete user groups one at a time, or you can delete multiple user groups at the same time. Deleting a user group deletes the association between the user group members, but does not actually delete the user group members.

You can delete user groups from an LDAP directory only by using the native LDAP directory interface.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Click the user group that you want to delete, and select Delete.

3. Click OK.

Remove Users from User GroupsRemove Users from User Groups

You can remove users from user groups that are stored in the internal database. When you remove a user from a user group, the user is no longer managed as part of the user group. Removing a user from a user group does not delete the user's data from the identity source that contains the user record.

If you want to remove users from user groups that are stored in an LDAP directory, you must use the native LDAP directory interface.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Click the appropriate user group, and select Member Users.

3. Use the search fields to find the user that you want to remove from the user group. Some fields are case sensitive.

4. Click the user that you want to remove, and click Remove From Group.

Duplicate User GroupsDuplicate User Groups

You can duplicate user groups that are stored in the internal database. When you duplicate a user group, you create a user group with identical user group information, which means information such as the identity source and security domain are the same as in the original user group. The duplicate user group, however, does not have any users assigned to it.

You can configure RSA Authentication Manager so that a duplicated user group is still associated with the same authentication agents as the original user group. For instructions, see Maintain Authentication Agent Associations in a Duplicated User Group.

If you want to duplicate a user group that is stored in an LDAP directory, you must use the native LDAP directory interface.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Click the user group that you want to duplicate, and select Duplicate.

3. In the User Group Name field, assign a new user group name, and make any other necessary changes to the new user group.

4. Click Save.

Maintain Authentication Agent Associations in a Duplicated User Group Maintain Authentication Agent Associations in a Duplicated User Group

You can configure RSA Authentication Manager so that a duplicated user group is still associated with the same authentication agents as the original user group.

Procedure

1. Log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Run one of the following commands:

   • To create an association between authentication agents and user groups, type the following, and then press ENTER:

     ./rsautil store -a add_config auth_manager.admin.copy_group_with_agent true GLOBAL 500

   • To remove the association between authentication agents and user groups, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.admin.copy_group_with_agent false GLOBAL 500

4. When prompted, enter your Operations Console administrator User ID, and press ENTER.

5. When prompted, enter your Operations Console administrator password, and press ENTER.

6. Restart all Authentication Manager services on the primary server and replicas:

   cd /opt/rsa/am/server

   ./rsaserv restart all

Move User Groups Between Security DomainsMove User Groups Between Security Domains

When you move a user group to a new security domain, the target security domain owns the user group, but the user group members are still owned by the security domains to which they are assigned.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Select the checkbox next to the user group that you want to move.

3. From the Action menu, select Move to Security Domain, and click Go.

4. From the Move to Security Domain drop-down list, select the security domain to which you want to move the user group.

5. Click Move.

Remove Member User Groups from User GroupsRemove Member User Groups from User Groups

You can use the Security Console to remove a member user group from a user group that is stored in the internal database. When you remove a member user group from a user group, the member user group is no longer managed as part of the user group. Removing a member user group from a user group does not delete the member user group from the identity source.

If you want to remove a member user group from a user group that is stored in an LDAP directory, you must use the native LDAP directory interface.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Select the user group from which you want to remove a member user group, and click Member User Groups.

3. Select the member user group that you want to remove.

4. Click Remove From Group.

5. Click OK.

Set Restricted Access Times for User GroupsSet Restricted Access Times for User Groups

Restricted access times control when members of a user group can authenticate through associated authentication agents. By default, users are permitted to authenticate at any time.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Use the search fields to find the user group that you want to restrict.

3. Click the user group that you want to restrict, and click Restricted Access Times.

4. (Optional) From the Access Time Templates drop-down list, select a template. Templates are predefined access times that can be assigned to a user group.

5. (Optional) Use the View by GMT Offset drop-down list within the Access Times field to select the GMT offset corresponding to the time zone where the user group that you want to restrict is located. This allows you to set restrictions based on the local time for the members of the user group.

6. Use the Access Times boxes to select access time restrictions.

7. Click the time that you want the available access time to begin, press SHIFT, and click on the time that you want available access to end. This selects a range of hours. The available access time is the highlighted area. The times that are not highlighted are restricted.

8. To select multiple, non-consecutive hours, press CTRL, and click the appropriate hours.

9. To deselect a selected hour, press CTRL, and click the selected hour.

10. Click Save.

View User Group MembersView User Group Members

You can view users who are organized into user groups based on criteria such as geographic location or job title.

Procedure

1. In the Security Console, click Identity > User Groups > Manage Existing.

2. Click the user group, and select Member Users.

3. Use the search fields to search for all users.

View User Group Memberships for a UserView User Group Memberships for a User

Use the Security Console to view the user groups in which a user has membership.

Procedure

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user whose user group memberships you want to view. Some fields are case sensitive.

3. Click the user, and select User Group Membership.

Note: The Security Console cannot display a user's primary Active Directory group, such as Domain Users. The group appears empty even though it has members.