Configuring User Groups
(This feature is available since Accurids 2.7.0)
User groups facilitate the management of access permissions to data. By granting permissions to a user group, every member of the group receives the same permissions. Currently, only administrators can manage user groups.
On the admin page, there is a "USER GROUPS" tab where the groups can be managed. The page displays a list of existing user groups along with their names and descriptions.
- Name: Each user group has a unique name.
- Description: An optional description can be provided to explain the purpose of the group in more detail.
You can search within groups by entering a search term in the search box. The user group list will then display only the entries that match your search.
Creating New Groups
A new group can be created by clicking on the "plus" icon in the upper right corner of the page. You will be asked to provide a new name and description. Additionally, you can add any number of identifiers of external groups that are mapped to this user group (see below for more details).
Editing Groups
By clicking on the "eye" icon in the action column of a group, you can view and edit the group's details. You can edit the name, description, and external group identifiers.
The members of the group are displayed in a list. The "Source" column indicates how each user was added to the group. If the user was added via an external group value (e.g., through an external authentication server like Microsoft Azure AD), the source will display the corresponding external group value (e.g., "admin"). If the user was added manually, the source will show "manual."
You can also add members manually to the group by clicking the "plus" icon in the "Members" section. Manually added members will be reflected in the members list with "manual" in the source column.
When using an external authentication server, Accurids determines whether a user is a member of a group upon login. Therefore, the list of known members does not yet include users who have not logged in since the creation of the group.
Deleting Groups
You can delete a user group using the trash can icon in the action column.
External Authentication Identifiers
A third-party authentication server (e.g., Microsoft Azure AD) can be used to manage user membership. At login, the server sends a token that contains a list of relevant identifiers (in MS Azure, these are called "application roles") that describe which roles a user has.
Accurids allows you to specify these identifiers in a group to control access. A user is then automatically a member of any groups where a configured external identifier matches one of those in the token.
A side effect of this mechanism is that Accurids is only informed about changes in group memberships when the user logs in next.
Application Roles in Azure AD
As an example of external group management, Azure AD allows you to add application roles in "App registrations". The "Value" of a group is sent as an identifier in the token when a user has the configured role.
In the "Enterprise Application" page of the application, users and groups with their respective roles can be defined.