15.2 Configuring attribute groups and access control

You set up attribute groups and assign privileges in the Access control menu. From the Central console main menu, click Security.

The configuration page for each type of user is displayed as a table. The menu buttons in the column headers expand the table. Depending on which column is ``active'', you can perform the following actions:

Search

Find and display one or more items matching search criteria.

Details

See the details of an item. For example, click Details next to an attribute group to see its member attributes, and which users and user groups are assigned privileges for it. You will then be able to perform actions related to the attribute group.

Add

Add a user group or attribute group.

Include ...

Include members to user or attribute groups. Depending on which column is active, you can assign an individual item to multiple groups, or multiple items to a group.

Remove

Remove an individual user or attribute from a group.

Delete

Deletes a group, but not its members.

Assign ...

Assign privileges. Depending on which column is active, you can assign a user group privileges for multiple attribute groups, or assign multiple user groups privileges for an attribute group.

Update

Change the privileges, description, or display type for a group.

Restore

Undo changes.

To configure attribute groups:

1. Log in and navigate to the Access control menu.

2. Click the attributes option for Authorizers, Requesters, or Recipients.

   ID-Synch displays the Access control management page with a table of options that allow you to view and configure groups and access.

3. Click a menu button to expand the table and proceed to:
   • Add an attribute group

   • Add attribute group members

   • Assign attribute group privileges to user groups

   • Add user groups

   • Add members to user groups

15.2.1 Adding an attribute group

Add attribute groups so that you can assign read and write permissions to groups of users. An attribute group can consist of one or more attributes.

To add an attribute group:

1. Access the Attribute groups menu table for any of the groups of users (authorizers, requesters, or recipients).

   See HERE for more information.

2. Type an ID and Description to identify the new attribute group.

3. Click Add.

   ID-Synch displays the new attribute under the Search results in the Attribute groups column. By default, the new group's Display type is Subsidiary

4. If required, change the Display type to:
   • Main to have the attributes display on the main page for new account requests.
   • Subsidiary to have the attributes display on a separate page.
   • None to not display the attributes at all.
   See HERE for more information about display types.

• Add attribute group members

• Assign privileges for attribute groups

15.2.2 Adding attribute group members

You must have request attributes set up in ID-Synch before you can add them as members to an attribute group. See HERE to learn how to do this.

You can add:

• Multiple members to an attribute group from the Attribute group menu
• A selected attribute to multiple groups from the Attributes menu

For conciseness, this section explains how to use the Attribute group menu only. The procedures are similar.

To add attributes to an attribute group:

1. Highlight the group in the Attribute groups column.

   If you just added the group, it should be highlighted already . If not:

   1. Access the Attribute groups menu table for any of the groups of users (authorizers, requesters, or recipients).

      See HERE for more information.

   2. Type search criteria and click Search.

   3. If a list of of attribute groups displays, click Details next to the group to which you want to add members.
2. In the Attributes column, click Include...

   ID-Synch displays a list of all available attributes.

3. Enable the check boxes for the attributes you want to include, and click Add.

   ID-Synch displays the attributes in the Attributes column. You can remove attributes by enabling the check boxes next to their ID and clicking Remove.

15.2.3 Assigning attribute group privileges to user groups

Assign privileges to groups of authorizers, requesters, and recipients to determine who can see and edit certain request attributes.

You can assign write-only privileges, for example, to attributes that are private,

For example, you could assign groups of recipients, requesters, and authorizers the rights to view certain attributes, but only allow authorizers to edit them. You could also allow recipients to view private information, while giving authorizers write-only permissions.

Note:

When a group of users is assigned write-only privileges to attributes with restricted or boolean values, they in effect cannot view or edit those attributes. If you require a user type to be able to edit attributes with restricted or boolean values, you must assign them read/write privileges.

You can assign:

• Multiple user groups to an attribute group from the Attribute group menu
• A selected user group to multiple attribute groups from the $<$User$>$ group menu

For conciseness, this section explains how to use the Attribute group menu only. The procedures are similar.

To assign privileges for groups:

1. Highlight the group in the Attribute groups column.

   If you just added the group, it should be highlighted already. If not:

   1. Access the Attribute groups menu table for any of the groups of users (authorizers, requesters, or recipients).

      See HERE for more information.

   2. Type search criteria and click Search.

   3. If a list of of attribute groups displays, click Details next to the attribute group to which you want to add members.
2. In the $<$User$>$ group column, click Assign...

   ID-Synch displays a list of all available IDs.

3. Enable the check boxes for the user group you want to include, and click Add.

   ID-Synch displays the groups in the $<$User$>$ group column. You can remove members by enabling the check boxes next to their ID and clicking Remove.

15.2.4 Adding user groups

Add user groups so that you can set up permissions for one or more authorizers, requesters, or recipients.

To add a user group:

1. Access the $<$User$>$ groups menu table for the type of user you want to manage.

   See HERE for more information.

2. Type an ID and Full name to identify the new authorizer group.

3. Click Add.

   ID-Synch displays the new group under the Search results in the $<$User$>$ groups column.

• Add authorizer group members

• Assign privileges for attribute groups

15.2.5 Adding members to user groups

Any user can be added to a requester or recipient group, and automatically belong to the All requesters and All recipients groups.

You must have authorizers set up in ID-Synch before you can add them as members to an authorizer group. See HERE to learn how to do this. All authorizers automatically belong to the All authorizers group.

You can add:

• Multiple members to an group from the Authorizer group menu
• A selected authorizer to multiple groups from the Authorizers menu

For conciseness, this section shows you how to use the $<$User$>$ groups menu only. The procedures are similar.

To add users to a user group:

1. Highlight the group in the $<$User$>$ groups column.

   If you just added the group, it should be highlighted already. If not:

   1. Access the $<$User$>$ groups menu table for any of the groups of users (authorizers, requesters, or recipients).

      See HERE for more information.

   2. Type search criteria and click Search.

   3. If a list of of user groups displays, click Details next to the user group to which you want to add members.
2. In the $<$Users$>$ column, click Include...

   ID-Synch displays a list of all available authorizers.

3. Enable the check boxes for the authorizers you want to include, and click Add.

   ID-Synch displays the authorizers in the authorizers column. You can remove authorizers by enabling the check boxes next to their ID and clicking Remove.