Manage user and group provisioning in OneID
Your user provisioning decides how you can create, modify, and set user roles. Provisioning users and groups via OneID requires an Administrator account.
User-provisioning functions can be performed using the following configurable options in OneID.
- Manage user provisioning with user groups
- Manage user provisioning by directly assigning tenants to individual users
- Migrate existing user accounts from individual tenants to OneID
User Groups vs Direct Tenant Access in OneID
When managing access control in OneID, administrators have the choice between utilizing User Groups and Direct Tenant Access. Each method offers distinct advantages and is suited to different scenarios. Understanding when to use User Groups versus Direct Tenant Access is crucial for optimizing security, efficiency, and administrative simplicity within your organization.
Using User Groups in OneID
Utilize user groups to streamline access control. Assign permissions and roles to groups instead of individual users, decreasing administrative workload and maintaining consistency.
User groups are ideal for:
- Authorizing only permitted users to access resources, applications, and services.
- Applying security policies, configurations, and updates consistently to every member of a group.
- Opting for group-based management to handle numerous users with similar access requirements efficiently.
- Ensuring consistency across directory services, cloud services, and applications by automating the assignment of users to groups based on roles, departments, or attributes from your IdP and IAM systems.
-
Using Direct Tenant Access in OneID
The evaluation of Direct Tenant Access is necessary for the specific scenarios listed below.
- To prevent complexity and security risks, it’s best to avoid groups when permissions need to be highly specific and unique to individual users.
- To avoid overcrowding your group, it may be more practical to assign individual users for short-term access.
- For very small organizations or teams, the administrative effort of handling groups might be more than the benefits.
- When users’ roles and responsibilities change often, using groups to manage permissions can become difficult and prone to mistakes. Leverage Direct Tenant Access with dynamic role-based access control (RBAC) for enhanced flexibility.
- To avoid creating groups unnecessarily, individual permissions can be a better choice for specific access in one-time or ad-hoc tasks.
Switch from Direct Tenant Access to Group Provisioning in OneID
Switching from Direct Tenant Access to Group Provisioning in OneID: Direct Tenant Access is automatically enabled when a user account is created or imported in OneID.
Switching at User Level: To transition specific user accounts from Direct Tenant Access to Group Provisioning in OneID, follow these steps:
- Navigate to the user details page for the specific user.
- Disable the Direct Tenant Access toggle for the user.
Enabling Group Provisioning for All Users: To implement Group Provisioning universally across your organization in OneID, adhere to the following guidelines:
- Go to the Settings page.
- Choose Security Policies.
- Enable the toggle for Group Provisioning for all Users.
Managing Mixed Access Types: Administer certain users through Direct Tenant Access while others through Group Provisioning.
Handling User Import with Group Provisioning: If Group Provisioning is enabled in your OneID user account and your local user account is imported, your access will be suspended until assigned to the correct user groups with the same tenant access. When assigning the OneID user to User Groups, duplication of user creation in the local tenant is prevented.
Refer to the community table talk for more information about user groups and how to configure them in OneID.