4.7 Administrative groups
Administrative groups enable an operator to manage user accounts located in MyID groups anywhere within the group hierarchy, including groups that are not directly connected to the operator’s home group.
Prior to enabling administrative groups, scope (see section 4.5, Scope and security) always relates to an operator’s home group. Once administrative groups have been enabled, scope is extended to include additionally specified administrative groups as well as the home group.
Note: Administrative groups only affect workflows with a Department or Division scope, and are not available for group management workflows; for example, Amend Group or Edit Group.
4.7.1 Configuration settings
From the Configuration category, select Security Settings. The Allow Administrative Groups option is on the Process tab.
- When set to Yes, the scope available in workflows is extended to include any additionally specified administrative groups assigned to operators. The
- When set to No, the scope in workflows is limited to operators’ home groups, and it is not possible to manage operators’ administrative groups in
4.7.2 Assigning Administrative Groups
From the People category, select the
An Administrative Groups option is displayed immediately below the Group field:
This displays the number of administrative groups assigned to this person. Hovering on the text box displays the names of the groups assigned.
Click the text box or icon to open the Administrative Groups dialog, which lists the fully qualified path to all the groups assigned to the person:
-
To remove groups, select them and click the Remove button.
Rows that are grayed out refer to administrative groups assigned to a user that the operator does not have within their scope, so cannot be removed by the operator.
- To add groups, click the Add button and use the Select Group dialog.
The OK button keeps any changes and returns you to the workflow. Changes made here are committed to MyID only when the person’s record is saved; that is, when the
The Cancel button closes the dialog without making any changes.
4.7.3 The Select Group dialog
The Select Group dialog appears in a number of places where the operator needs to select a single group.
If the Allow Administrative Groups option is set to Yes and the operator has been assigned a number of administrative groups, the operator will see an extra root node named Administrative Groups in all workflows where scope is greater than Self.
For example, the above dialog is shown to an operator who has Department scope in a particular workflow, as well as having administrative groups assigned to them. The operator has a home group of Administration, and two of their administrative groups are mapped to the LDAP directory (Country A and Country B).
When using the Select Group dialog, the operator could be searching either the MyID database or the LDAP directory.
- When searching the MyID database, all their administrative groups are returned.
- When searching the LDAP directory, only administrative groups that map to the LDAP directory are returned.
4.7.4 The Find Person stage
If the Allow Administrative Groups option is set to Yes:
- When searching for people from the MyID database, the Group field in the Find Person stage of all workflows is not pre-populated with the operator’s home group. This allows people to be found from the operator’s home group as well as the operator’s administrative groups.
- When searching for people from the LDAP directory, it is still necessary to specify the LDAP group to search from.
Note: If you are using administrative groups to search the LDAP directory, your own account must be a member of the LDAP directory too.
4.7.5 The View Person workflow
The View Person workflow shows how many administrative groups a user has been assigned, and displays the names of those groups when the mouse hovers over the text box.
Click on the text box or icon to open a read-only version of the Administrative Groups dialog, which lists the fully qualified path to all the groups assigned to the person. The grayed-out rows refer to groups that are not within the scope of the operator.
4.7.6 Group management
If a MyID group is deleted, the system will remove that group from the scope of all existing operators.
If a MyID group is moved, operators that have been assigned that group as an administrative group will continue to have that administrative group. The sub-groups available to the operators are always calculated based on the latest group structure.
If a MyID group has role restrictions, these restrictions only apply to operators with the group as their home group, and are not applied to an operator who is assigned the group as an administrative group.
4.7.7 The Import Account Details dialog
When using the Add Person workflow to add a person to MyID, you can retrieve user details from the LDAP directory by clicking on the Import button on the Account tab. If the operator has been assigned administrative groups that map to LDAP directory OUs, a second Administrative Groups node is shown with a list of their mapped administrative groups.
4.7.8 Scope calculations
When an operator enters a workflow, the effective scope for that operator (who he or she can see) is the addition of the scopes of all roles the operator has that include the workflow.
For example, Margaret’s home group is Support in Country A and she has been given:
- Administrative group access to the Country B and Country C groups.
- Division rights for the Registrar role.
- Department rights for the Issuer role.
If Margaret enters a workflow such as Issue Card that is part of the Issuer role, but not part of the Registrar role, her effective scope would be Department.
She would be able to manage her own Group and any Administrative Groups that she had been allocated (Country B and Country C). She cannot manage any child groups of these groups, so she cannot issue a card for someone in the Development group of Country C.
If she enters a workflow such as Edit Person which is included in the Registrar role, but not in the Issuer role, her effective rights would be Division. Now child groups are visible.
If a workflow is in both roles then, as rights are additive, she would have Division rights.