Creating Dynamic Group Memberships

EmpowerID allows you to dynamically assign users to groups using role-based delegations. Assignees can be any EmpowerID Actor type, such as Business Role and Location combinations, Management Roles, Query-Based Collections and other groups. This topic demonstrates this by creating a dynamic group membership for anyone assigned to a specific Business Role and Location. In this way, any person who belongs to the Business Role and Location will automatically be added to the group as a member.

This topic demonstrates how to create a dynamic group membership and is divided into the following activities:

Prerequisites: In order to create a dynamic group membership as described by this topic, the following prerequisites must be met:
  • EmpowerID must be connected to Active Directory. For a detailed walkthrough describing how to connect EmpowerID to Active Directory, see Connecting to Active Directory.
  • Group Membership Reconciliation must be enabled for the account store with the group(s).
  • The Group Membership Reconciliation Job must be running on at least one EmpowerID server. You turn this job on and off from the Servers and Roles node of Configuration Manager, which is accessible from the EmpowerID Management Console.
  • The group for which you are creating a dynamic group membership must exist in EmpowerID.
  • The Business Role and Location being granted dynamic group membership must exist in EmpowerID.
  • Additionally, to verify the dynamic group membership, users must belong to the Business Role and Location.

To create dynamic group memberships

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar, navigate to DelegationsManager by expanding Identities and clicking Manage Delegations.
  3. In Delegations Manager, click the Actor Delegations tab (selected by default). From this tab, you can manage the access to resources of any EmpowerID Actor.
  4. Select Business Role and Location from the Assignee Type drop-down. You should see the Business Role and Location trees appear.
  5. Search for and select a Business Role from the Business Role tree and then search for and select a Location from the Location tree. In our example, we are selecting the Contractor Business Role and the All Business Locations Location. In this way, any person who is a contractor in or below the All Business Location location will be dynamically added to the target group as a member.
  6. Please note that the people must in the Business Role and Location must have user accounts linked to their Person in order to be added to the group.

  7. Select Direct from the Assignment Type drop-down.
  8. From the Assignments grid, click the Add Assignments (+) button.
  9. In the Grant Access dialog that appears, do the following:
    1. Select Group (Security) from the Resource Type drop-down.
    2. Type the name of the specific group for which you are creating the dynamic membership in the Enter a Group (Security) Name to Search field and then click the tile for that group. In our example, we are selecting the Contractors group.
    3. Select the Member from the Access Level drop-down.
    4. Optionally, tick Time Constrained if you want to add a time constraint to the Access Level assignment. Time constraints limit the effectiveness of the assignment to the specified times. In our example, we are not adding a time constraint.
    5. Click Add to add the policy to your shopping cart.
  10. Click the Shopping Cart icon, type a reason for the assignment and then click Submit.

To verify the group membership in EmpowerID

  1. From the Navigation Sidebar, navigate to the Group Management page by clicking Groups underneath Identities.
  2. Search for the Group for which you created the dynamic membership and then click the Logon Name link for that group.
  3. In the following image, the Locations pane has been collapsed to conserve screen real estate.

    This directs you to the View One page for the group. View One pages allow you to view details about an object in EmpowerID and make changes to those objects as needed.

  4. From the group's View One page, expand the Group Members accordion. You should see the user accounts have been added to the group.
  5. If you have an email account that is registered with EmpowerID, you can email the contents of this grid to your email account by clicking on the Email icon.

To verify the group membership in Active Directory

  1. Open Active Directory Users and Computers and search for the group you targeted for dynamic group membership.
  2. Open the Properties window for the group and click the Members tab. You should see that the appropriate user accounts have been to the group as members.