Skip to content

Managing user groups

This section describes how Osirium PAM user groups are created and managed within the Admin Interface, covering the following:

What are user groups?

A user group is a collection of users. Working with groups instead of with individual users allows you to simplify the process of giving members of a group, organisation, team, department etc, the same privilege levels required to perform a job role. It minimises the risk of missing people off the access list as well as making it easier to quickly remove a users access from the group rather than individually removing them from each profile.

User groups are created and managed via the Manage user groups page.

Manage user groups table

The process of creating a user group and then associating users who require the same access privileges is as follows:

  1. Create a user group container with a preferred user source and a name to help identify the group.

    The source selected will determine the user list presented for association:

    • Local: will allow you to select and add users with any auth type.

    • Active Directory: will synchronise the users belonging to the Active Directory named security group.

    Note

    If the name of the user group does not exactly match the name of the security group on the Active Directory then the user list will be empty.

  2. Associate users (local or Active Directory): For local source user groups, select the users from the list presented.

    For an Active Directory source user group, synchronise the users from the Active Directory security user group with the same name. Active Directory users that are currently not listed within the Manage users page will be created.

    Active Directory users can't be updated or deleted from within Osirium PAM. Updates to user groups at the Active Directory level need to be synchronised with Osirium PAM in order for the changes to be pickup and reflected.

  3. Associate profiles: Either select from the profiles that already exist or create a new profile with the access privileges required for the user group. Adding a profile to the user group will give all the users in the user group access to the devices and tasks listed in the profile with the access level stated. User groups can be added to multiple profiles.

How to create a new user group

Creating a user group creates a container that can then be used to associate users and profiles.

  1. Click the Plus NEW USER GROUP button on the Manage user groups page.

    New user group window

  2. Fill in the following details:

    Heading Description
    Source Select the source of the users
    - Local: Allows you to create a user group to which you can add any user.
    - Active Directory: Allows you to add a user group that will be synchronised against an existing security group in your Active Directory.

    NOTE The Active Directory currently configured as the User Authentication Service will be used for all Active Directory user group operations.

    Name Enter a display name that will be used to identify the user group. When using an Active Directory source:

    The name must match that of a Global Security Group that exists on Active Directory. If the user group name is found on the Active Directory, the user group will be successfully created. Osirium PAM will then proceed to synchronise the user data using the sAMAccountName from the Active Directory.

    NOTE Synchronising of user data is done with diacritic (accents added to words) insensitivity and case insensitivity.

    If a discovered Active Directory user already exists in Osirium PAM, they will be added to the user group.

    If a discovered Active Directory user doesn't already exist in Osirium PAM, it will be created automatically and added to the user group.

    Notes Add any additional information that maybe relevant or useful to manage the user group.
    CB unchecked Enabled If the checkbox is CB checked then the user group is enabled.

    When added to a profile, the users within the group will be given permission to the devices.

    NOTE If an Active Directory user group is created in a disabled state, the users will not be synchronised until the group is enabled.

  3. Click SAVE. The user group container is created. If you selected an Active Directory source, a Note window is displayed.

    AD Sync note

How to associate users and profiles

The User group detail page allows you to view and configure the users and profiles that will be associated with the user group.

Note

The associated users in an Active Directory user group cannot be modified directly. The user groups are synchronised with Active Directory.

The associated users will only get updated if the user group in Active Directory changes.

To add users to a local source user group

  1. On the User group detail page, click the MANAGE button to the right of Associated users.

  2. The Manager: users window opens, select the checkboxes for the users to be added to the group.

    Associate users

  3. Click SAVE CHANGES. The users are added to the user group.

To synchronise users from an Active Directory source user group

The first time you create a user group with an Active Directory Account source, the users will be automatically synchronised. To check for updates to the user group you can use the Synchronise button on the Named user group detail window. Any changes that have been made to the user group that exists on the Active Directory will be updated in Osirium PAM i.e. Users removed from the group, additional users added etc.

To add profiles to user groups

  1. On the Named user group detail page, click the MANAGE button to the right of Associated profiles.

  2. Within the Manager: profiles window, select the checkboxes for the profiles to be added to the group.

    Associate profiles

  3. Click SAVE CHANGES. The Profile user update task will be executed.

    The profile will be updated to include the user group. All users listed in the user group will be given the same privileged access levels configured within the profile.

    User group configured

    Example of the user group added to the profile:

    User group added to profile

Bulk importing

Rather than creating user groups manually and one at a time, you can create many user groups using a bulk import. To do this, you need to download and populate the appropriate CSV (comma separated values) file.

A bulk import can be used to create new user groups or update existing user group memberships (associated users and associated profiles).

Bulk importing user groups

To bulk import a number of user groups:

  1. Select the User groups from the left-hand menu.

  2. On the Manage user groups page, click Bulk import icon BULK IMPORT and select Import user groups from the menu.

  3. Within the Import from CSV window, click DOWNLOAD CSV TEMPLATE.

    If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  4. Open the user_groups_[date].csv file. You will see an example given to follow the inputs required.

    User CSV template

  5. Add in your user groups to be imported as follows:

    Column heading Description
    Is Active Directory group? Enter TRUE if the user group created is an Active Directory user group that you want to synchronise the associated user from.

    Enter FALSE to select from the Osirium PAM list of users.

    Name Enter the display for the user group.

    If adding an Active Directory user group the name must exactly match the name of the user group that exists on the Active Directory, otherwise the user synchronisation will fail.

    Notes Add any additional information that may be useful.
    Enabled Enter TRUE to enable the user group when created.

    Enter FALSE to disable the user group when created.

    NOTE Disabling a user groups will dynamically revoke any permissions allocated through profiles.

    For example:

    User bulk import example

  6. Save the csv file once updated.

  7. If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  8. Now within the Import from CSV window, click Choose File.

  9. Select the uploaded user groups bulk import file and click OPEN.

    Choose file

  10. Click IMPORT.

  11. The entries in the CSV file are added and visible in the Bulk import user groups window.

    Imported csv file

  12. Before you click IMPORT note the following.

    • To import all the user groups listed, click the Select All SELECT ALL.

    • To import only a selection of user groups from the list, hold the SHIFT key and select all the groups you want to import from your bulk import list.

    • Errors will be highlighted with an Exclamation.

    • If warnings are not fixed then you will get an error when you click IMPORT.

      Import warning window

    • You can select the Skip rows with errors to ignore the rows with errors and import all the others.

      Skip rows with errors

    • You can update any user group settings by clicking on the Edit at the end of each row.

    • If there are no errors highlighted then all user groups will be imported in the list.

    • To disable a user group when created, click Edit at the end of the row and deselect the Enabled checkbox.

  13. Click IMPORT.

  14. Within the Question window, click YES if you are happy to proceed with the bulk import.

    Import question window

  15. Within the Action queue window, the user groups will be imported and queued for creation. If you have a lot of users in your bulk import then you can choose to Continue in the background or if the imports have been completed, click Done.

    The Manage user groups page will automatically be updated.

    User data will be synchronised for any users groups with a source of Active Directory. If the user doesn't exist in Osirium PAM it will be created. All associated users with the Active Directory group will be listed.

Bulk importing user groups membership

Once you have imported and created your user group containers you can use the exported user group membership csv to associate users to the user groups. If you have existing user groups with user associations then you can also use it to add additional users or to remove users from the user group.

Limitations of bulk importing user group memberships are:

  • Can not associate profiles within the user group membership CSV file.

  • No Bulk import > Import user groups membership > Download CSV template available for download.

  • Can not be used to add users to a user group with a source of Active Directory as they are automatically synchronised.

The following method can be used to bulk import user associations to user groups:

  1. Within the Manage user groups page, click on CSV Export EXPORT.

  2. Select Export user groups membership.

    If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for downloading files. For further details see Downloading a file using Shared Drive.

  3. Open the user_groups_member_[date].csv file. The file will contain:

    • All the user groups listed on the Manage user groups page.

    • User groups with an account source of Active Directory will also have a list of synchronised users.

    • User groups with an account source of local will also show existing associated users.

    Note

    If you remove an existing associated user from the bulk import template and then import, the removed user will be be deleted from the associated users list.

    • User groups with no associated users will be blank

    Example:

    User CSV Export

  4. As all user groups with an account source of Active Directory are synchronised they can be removed from the bulk import file.

  5. To associate users to the user groups with an account source of local, enter the Name as listed on the Manage users page to the list. Users with any Auth type can be added to a local user group.

    Column heading Description
    User group The display of the user group that already exists.
    User Name of the user that is associated with group.

    Note

    DO NOT enter multiple names in a field. To add multiple users to the same user group create a new row for each user group.

    For example:

    User bulk membership example

  6. Save the csv file once updated.

  7. If you accessed the Admin Interface via the PAM UI Device tool you will need to use the Shared Drive mechanism for uploading files. For further details see Uploading a file using Shared Drive.

  8. Now within the Import from CSV window, click Choose File.

  9. Select the uploaded user groups membership file and click OPEN.

  10. Click IMPORT.

  11. The entries in the CSV file are added and visible in the Bulk import user group membership window.

    Imported membership csv file

  12. Before you click IMPORT note the following.

    • To import all the user groups listed, click the Select All SELECT ALL.

    • To import only a selection of user group memberships from the list, hold the SHIFT key and select all the groups you want to import from your bulk import list.

    • Errors will be highlighted with a Exclamation.

    • If warnings are not fixed then you will get an error when you click IMPORT.

      Import warning window

    • You can select the Skip rows with errors to ignore the rows with errors and import all the others.

      Skip rows with errors

    • You can update any row by clicking on the Edit at the end of each row.

    • If there are no errors highlighted then all entries will be imported in the list.

  13. Click IMPORT.

  14. Within the Question window, click YES if you are happy to proceed with the bulk import of the memberships.

    Import question window

  15. Within the Action queue window, the user group memberships will be imported and queued for creation. If you have a lot of user group memberships in your bulk import then you can choose to Continue in the background or if the imports have been completed, click Done..

    The Manage user groups page will automatically be updated.

Editing a user group

See the Common Interface functions section for inline editing.

Deleting a user group

Deleting a user group will:

  • The user group will be permanently removed from the database.
  • The user group will be removed from all profiles associated in the user group.
  • Users access levels will be revoked for all devices and device tasks within the profiles associated with the deleted user group.