Groups
About Groups
Groups are a collection of users or individuals and their respective information. These collections make it easier to categorize and manage users in bulk. Configure and manage groups in Beyond Identity to organize users according to shared common characteristics.
For example, access rights can be updated for a large number of users through Groups, as all of the users in that Group receive the change at the same time. This simplifies directory management to consolidate users and application assignments.
In Beyond Identity, Groups are modeled with a streamlined lifecycle to make information about them more transparent and accessible. The Group model has processes in place for creating, viewing, editing, and removing Groups. Each action is logged and recorded. These data points are available from within the platform for reference and tracking.
Group lifecycle
The Group lifecycle in Beyond Identity consists of creating a new Group, viewing that Group’s information within Beyond Identity, editing the Group’s configuration across other Beyond Identity models, and removing a Group from Beyond Identity.
- Create - Add new Group
- Retrieve - View Group information
- Update - Modify Group information
- Delete - Remove Group and Group information
This Group lifecycle covers the transitions of an individual and their respective identity in your organization. For context, the lifecycle details the actions for adding a new employee, collecting relevant information about that employee’s configuration, changing any part of the employee’s setup, and removing the employee from Beyond Identity as needed.
The security advantages of this lifecycle come from reducing IT admin errors, efficient provisioning, consistent and reliable compliance, and historical activity records. Beyond Identity supports these critical processes to make managing Identities straightforward and seamless.
Lifecycle example
For example at Sample Corporation, Isabella, the IT administrator there is onboarding a new employee, Ethan. Isabella uses the Beyond Identity console to add Ethan along with the information about his job, such as his email address.
During Ethan’s first week, Isabella edits his Group in Beyond Identity to update the Group that his job is in and the Applications that he can access. Over the next few months, Ethan switches teams and requires different access to different applications. Isabella modifies Ethan’s Identity to place him in the correct Group. She also updates the Application access available to him in his new role.
After a few years, Ethan has left Sample Corporation. Isabella then removes Ethan’s Identity from Beyond Identity for the organization so that it can no longer access any of the protected resources. The console also tracks and logs the activity from Ethan’s Identity throughout the lifecycle for an accurate history of that Beyond Identity model.
Manage Groups
Beyond Identity has all the available actions for managing your Groups. Create, Retrieve, Update, and Delete Identities across the platform using the methods in the sections below.
- Directly within the Beyond Identity platform
- Use the System for Cross-domain Identity Management (SCIM)
- Programmatically with the Beyond Identity API
Create Groups
Creating a new Identity adds an individual to the Beyond Identity platform for your organization. To get started in Beyond Identity, create new Identities or import Identity information from a source.
Retrieve Groups
After populating Beyond Identity with Groups, you can view any and all Group information with the same processes. From within the console, view the profile, passkey, and application information about the selected Group.
Update Groups
This action is for editing and modifying existing Identities within Beyond Identity.
Delete Groups
When a Group is no longer part of your organization, delete the Group and their information from Beyond Identity.
Configure Groups with other Beyond Identity models
The Group model within Beyond Identity is connected to both models for Identities and Applications. Groups can be configured according to these for more robust control and setup. These models interact with one another and can define Group boundaries within an organization.
Roles
Roles are specific titles for determining administrative rights in Beyond Identity. Assign Roles for IT administrators to limit specific scope of access to actions within Beyond Identity for your organization.
- Create - Add new Roles
- Read - View available Roles
- Update - Change or modify Roles
- Delete - Remove or eliminate Roles
For Roles in Beyond Identity, the default Role for new Beyond Identity tenants is the Super Administrator. This Role has full access and privileges to all available actions within Beyond Identity and for the organization.
Additional Role support is available to limit and restrict administrator access across the organization. These Roles account for additional security for enforcing the least privileged access in Beyond Identity.
Identities
IdentitiesGroups are defined collections of Identities. These collections of users create bulk interactions as Groups. Identities can be assigned to one or more Groups.
- Create - Add new Identity
- Retrieve - View Identity information
- Update - Modify Identity information
- Delete - Remove Identity and Identity information
Applications
Applications are tools and resources within the organization. Identities can be assigned to Applications. When an Application is assigned to an Identity, that user or individual then has access to those resources.
- Create - Add new Applications
- Read - View available Applications
- Update - Change or modify Applications
- Delete - Remove or eliminate Applications
Other examples of assigning Applications also apply to the list below. Applications can be assigned to other Beyond Identity models for additional resource control and management.
- Identities - A user or individual Identity can have a specific Application assigned to them
- Roles - When a Role has an Application assigned to it, the specific role then has access privileges
- Groups - Applications can be assigned to Groups for wider access for all users or individuals in the Group
- Applications - For Applications assigned other Applications, this action provides additional access for a specific Application relationship