Groups and group policies
Groups and group policies are among the key objects use to manage user accounts and settings related to users. Groups are used in for example in access management and authorisations to refer to multiple user accounts.
Groups
Groups in Trivore Identity Service (TIS) can contain users, contacts, targets, and other groups. Groups also tie together group policies and roles to user accounts. When a user account belongs to a group all the roles and policies in the same group will affect the user account. This also applies recursively to groups, which belong to other groups.
Groups can be managed in the Web UI or the REST API. For more information on how to use the REST API for group management, see Management API.
Group policies
Group policies can be used to configure many user related attributes for one or more user accounts at a time. As the name suggests, a group policy is tied to one or more groups, which in turn contain one or more user accounts.
Group policies contain settings such default context, IP address restrictions, OpenID sign-in restrictions, password security, and language. Each setting can be individually activated so it is possible and often recommended to crate a group policy, which only has a small number of active settings. For example you may create a group policy, which sets the language of the UI for a set of users and another group policy, which defines how strong a password users must have. As group policies and roles are tied together it is also possible to enforce that admin users use stronger passwords than rest of the users. This is a nice example on how flexible structures like these can be used for many use cases.
Group policies can be managed in the Web UI under main menu selection “Group Policies“. For more information on how to do this, see Main Menu: Group Policies.
Namespace default user account policy
In addition to the group policies, each namespace can define a default account policy, which is used to configure default values to all user accounts within the namespace. The namespace default account policy has some properties no group policy has. The main difference is that all the properties in the default account policy are always active and affect all user accounts. Additionally, the default account policy contains some properties, which are not found in group policies.
The default user account policy allows setting roles to all user accounts in the namespace. This can be useful in situations, where all the administrator or customer support user accounts are one single namespace and they all should have the same base set of roles and permissions.