Configure Administration Groups

Administration groups provide a way to organize (partition) users for administrative purposes as well as a way to assign permissions to users through membership of administration groups.

Using the ActivID Management Console, you can create and update administration groups within User Types. Then, you can add users to the administration groups.

Note: Individual local database users can only belong to one administration group. Use the ftadmin user to create administration groups in any of the predefined dataset user types.
Prerequisites:  
  • To add an administration group to a user type, you must have the appropriate permission on this user type.

  • To manage users in an administration group, or to update this group’s details (such as permissions or user repositories), you must have the appropriate permissions on that administration group.

Create an Administration Group

When you create an administration group, you select a parent for it.

The parent can be the user type (within which you are creating the administration group) or another administration group within the same user type. The Parent Group field lists the group name of the user type within which you are creating the administration group.

Important: Some of the Administration Group configuration settings are retained in the form of "Assets" that belong to the Asset Type "GroupConfig":
  • These assets are created to store the Self-Service Portal activation parameters when the Administration Group is created or updated.

  • Do not delete these assets after they are created (as it will delete the settings).

  • If the settings contain the default values, these assets will not be created.

As the “Asset Type Administration functions” permission set is required to manage such assets, in order to create and/or update Administration Groups, the operator must have the “Asset Type Administration functions” permission set (that is applied to the “GroupConfig” Asset type).

  1. Log on to the ActivID Management Console as an ActivID administrator.
  2. Select the Access Administration tab and, under User Organization, select Administration Groups.
  3. The list of default Administration Groups is displayed.

Add an Administration Group to a User Type

  1. Right-click on the user type in which you want to create the administration group.

    A contextual menu is displayed.

  2. Select Add Admin Group.

  3. The Add Administration Group page appears. You cannot edit the User Type and Parent Group.

  4. Enter the main information for the Admin Group:
    • Name – should be unique for ease of administration.
    • Code – a value is automatically generated but it can be changed. The code must be unique, a minimum of three characters, and a maximum of 10 characters. It cannot be changed once the credential type is created.
    • Description – (optional) content is free-format.
  5. Click Save and proceed to Map User Repositories to an Administration Group.

Map User Repositories to an Administration Group

  1. Expand the group node to view the new administration group.
  2. Click on the name of the group or right-click and select Edit Admin Group.
  3. In the group details page, go to the User Repositories tab.
  4. By default, the Local Database repository is enabled.

  5. To add repositories to the group, select Available from the drop-down list.

  6. Depending on the user repositories enabled for the User Type in which the administration group belongs, the Available user repositories will be different.

    Repositories are added one by one, as you need to specify the root nodes for each one.

  1. Select the check box for the required repository.
  1. To add the root node of the user repository, click Add.
  1. Verify that the root node is correct or modify the specified node, and click Add.
  2. If you want to add additional nodes, click Add again and repeat the above steps.
  3. Click Ok to confirm the root node.
  4. The repository is now enabled with the defined root node.

  5. If necessary, repeat the steps to add additional repositories to the group.
  6. Click Save and proceed to View Authentication Policies and Set Self-Service Tokens Activation Configuration.

View Authentication Policies and Set Self-Service Tokens Activation Configuration

In the group details page, select the Authentication Policies tab.

The valid Authentication Policies displayed depend on the User Type definition of the group.

In the Self Service Tokens Activation Configuration section, you can view and define the Self Service Tokens Activation configuration for all Users within this Administration Group.

  1. For each activation option, select the:
    • Device type for each type of token
    • Authentication policy from the list of polices compatible with the device type selected for the type of device

    To disable an activation option for the group, leave the settings empty or clear the selected configuration.

  2. Note:
    • If One-Time Password authentication policies are not available for your User Type, the lists will remain empty. You must define such a policy to be able to activate the tokens.
  3. Click Save and proceed to Assign Administration Group Permissions .
Note: These settings are retained in the form of "Assets" that belong to the GroupConfig asset type:

  • These assets must not be deleted after they are created (as it will delete the settings).
  • Such assets will not be created if the settings are left to default values (meaning no specific device type is selected for the Admin Group).

Assign Administration Group Permissions

Once you have created an administration group, you must assign administrative permissions to that group before proceeding.

A permission is an action such as creating a user, resetting a password, and modifying an indirect user’s privileges. Individual permissions are pre-defined in ActivID AS and can only be added or removed for a specific user. You can group individual permissions into permission sets and assign them to a group of users.

Assigning a permission set to an administration group enables all the users in the group to perform each of the permissions in the set.

It is possible to assign a permission set by specifying the following conditions:

  • The specific user authentication policies that are required to exercise the permission (that is, Management Static Login, etc.).

  • The specific channels through which the permission will be given (that is, Direct channel, Management Console, etc.).

  • The specific resources to which the permission will apply (that is, Customers User Types, etc.).

The time taken by ActivID AS to refresh permissions assigned to a user administration group, or associated with a role and assigned to an individual user, is specified in your ActivID AS settings.

Prerequisites: You must have the permissions to add different types of permissions sets. For example, if you do not have the “Modify user group asset set external permission” permission, then you cannot add external permission sets with resource type asset sets.
  1. If necessary, select the Access Administration tab and, under User Organization, select Administration Groups.
  2. In the list of Administration Groups, click on the name of the group you created above.
  3. Select the Permissions tab, and then scroll down to Available to view the available permissions for the group.
  4. Permissions are added one by one, as each must be configured.

  1. Click Assign for the required permission to assign it to the group.

  1. If you want to specify conditions for the permission, select the required option(s) and click Next:

    • Authentication Policies
    • Channels
    • Resources
  2. Note: If you do not want to specify conditions, set all the options to Any, click Next and proceed to the review step.

    The subsequent steps depend on your selection. For each conditioning option selected, a configuration page is displayed.

  3. If you selected to apply Authentication Policy conditions to the permissions:
  4. Select the options for the required policies to enable them for the group permission and click Next.

  5. If you selected to apply Channel conditions to the permission:
  6. Select the options for the required Channels to enable them for the group permission and click Next.

  7. If you selected to apply Resource conditions to the permission:
  8. Select the options for the required Resources to enable them for the group permission and click Next.

    When all the conditions are defined, the Configure permission summary page is displayed.

  9. Review the configuration under Privileges and click Ok to apply the settings.

  10. Alternatively, you can click Back to edit the configuration, or Cancel to exit without saving.

    The permission is now assigned to the administration group.

  1. Click Save.

Edit an Administration Group

  1. Log on to the ActivID Management Console as an ActivID administrator.
  2. Select the Access Administration tab and, under User Organization, select Administration Groups.
  3. Click on the name of the administration group you want to edit.
  4. All the settings can be modified except the group's:

    • User Type
    • Parent group to which the administration group belongs
    • Code
  1. Edit the group settings as required.

  2. Click Save to apply your changes.
  3. If you want to cancel the operation, click Back to List.

Move an Administration Group

When you create an administration group, you select a parent for it. The parent can be the user type (within which you are creating the administration group) or another administration group within the same administration group.

The Parent Code lists the unique reference of the user type within which you are creating the administration group and the unique references of any other administration groups already created in the user type.

Note:  
  • You can move one or more of the administration groups within the user type by changing the parent(s).
  • You can move an administration group only within its current hierarchy.
  • You cannot move an administration group to a different user type.
  1. Log on to the ActivID Management Console as an ActivID administrator.
  2. Select the Access Administration tab and, under User Organization, select Administration Groups.
  3. Right-click on the name of the administration group you want to move and select Move Admin Group.

  1. Select the new parent group, and click Save.
  1. Click Close.

Delete an Administration Group

Prerequisites: Make sure there are no users or subgroups assigned to the administration group. You will not be able delete the group if it is still in use.
  1. Log on to the ActivID Management Console as an ActivID administrator.
  2. Select the Access Administration tab and, under User Organization, select Administration Groups.
  3. Right-click on the name of the administration group you want to move and select Delete.
  4. Click Yes to delete the group.