User groups are a collection of users. As a tenant administrator, you can create user groups manually, sync user groups from an external identity provider (IdP), or sync user groups from another BMC product to provide cross–product access. Imported or synced groups are treated as external groups. For more information, see User identities.
The following image describes the different types of user groups:
You can use user groups to simplify the process of managing permissions for individual users. For example, if a user in the "Product Admins" user group switched roles in the organization, instead of changing the user's permissions, you can remove the user from the current user group and add it to the new user group. Conversely, if a new user joins the "Product Admins" team, instead of providing specific permissions to the new user, you can add the new user to the existing "Product Admins" user group.
You can assign permissions to user groups, by assigning those user groups to the appropriate roles. You can also assign permissions to individual users. Assigning permissions to individual users might be required in scenarios where you want to assign specialized or sensitive permissions to a specific user for a limited duration of time.
If you need to provide unique permissions to individual users for a long duration of time, we recommend that you let such users inherit permissions from user groups. Otherwise, it can become cumbersome and inefficient to manage a mix of user groups with inherited permissions and users with unique permissions.
The following points can help you better understand how user groups function:
- User groups can contain users only.
- User groups can contain multiple users and a user can belong to multiple user groups.
- User groups can be manually created or synced from an external identity provider (IdP).
For example, the following image shows the user groups and associated users for Tenant A. The tenant administrator creates the Admin user group and assigns the user Ron to the Admin group. Ron creates other user groups for developers, QA, and DevOps users. Each of these user groups include human users with console access and API users with programmatic access. Each user belongs to a separate user group except Mike who is part of both the Dev user group and the DevOps user group.
Where to go from here
To manually create, edit, or delete a group, see Setting up user groups.
Log in or register to comment.