Select User Groups for Self-Service

If you use provisioning and restricted agents, you can select the user groups that you want to make available to users when they enroll in Self-Service. The user groups in which a user enrolls determine which restricted agents the user can use to authenticate. The user groups that you select are displayed on the Self-Service Console. If you select no user group, the User Group Selection page does not display during enrollment.

When selecting user groups for Self-Service, consider the following:

  • Users can request membership in internal groups only. Authentication Manager cannot add users to groups in external identity sources.

  • Which user groups provide users with the access to resources that they need

  • Whether there are any user groups that you do not want users to access

  • Whether there a user group that you want all users to access

  • If you set a default group, users can only belong to the default group.

  • If you do not use restricted agents, you do not need to select user groups for provisioning.

Note: Users can request additional user group membership after enrolling in Self-Service, as long as the user group resides in the internal database.


  1. In the Security Console, click Setup > Self-Service Settings.

  2. Click Select User Groups.

  3. Click Next to select the internal database, the only identity source that contains user groups that you can make available to users for enrollment.

  4. In the Display Name for User Group Selection Component field, enter user-friendly text about choosing a user group. For example, if remote access is protected by a restricted agent, you might enter “Select your access method.”

  5. Click Select More Groups to view a list of available groups for the identity source you selected.

  6. Select the user groups you want, and click Make Available.

  7. (Optional) In the Display Name field, add a descriptive name for the user group. For example, enter “VPN.”

  8. (Optional) Click the Default Group check box for each user group that you want assigned by default to all new users who enroll through the Self-Service Console.

  9. Click Save.