Manage groups

A Group is a collection of Users who have the same authorizations. By defining a Group you can give all the Users in the Group the same authorizations collectively. Likewise, when you update the authorizations of a Group, the authorizations of each member of the Group are affected.

Overview

Users who are members of several Groups that own the same Safe, will either have the authorizations of the first group that was added as an Owner to a Safe, or a combination of the authorizations all the groups that they belong to, depending on how the Vault is configured. However, if the user is an independent Owner of the same Safe, his own authorizations will override those of the Group. For more information, refer to Group authorizations.

Users who are listed in an LDAP-compliant enterprise directory can be added as group members transparently by the Vault, depending on their location in the directory. These users benefit from the same authorizations as group members created directly in the Vault. For more information, see Configure transparent user management using LDAP.

You can create, manage group members, and delete groups.

During PVWA installation, groups that are required for the PVWA are created automatically. For more information, refer to The PVWA environment.

Create a new group

Create a new user group in the PVWA.

To create a new group:

  1. From the Tools menu, select Administrative Tools, and then Users and Groups, the Users and Groups window appears.

  2. In the hierarchy, select the location where the new group will be created.

  3. Click New, then select Group; the New Group window appears.

  4. Enter the Group Name and Description of the group.

     

    You can specify a group name that contains up to 128 characters. Make sure that the first 28 characters are unique to the group name.

  5. You can either add users to the group immediately, or click OK to create the group and add users later.

Manage group members

Add a member to a new or existing group, and remove a member from a group.

To add a member to a new group:

  1. In the New Group window, click Add; the Add Members window appears.

  2. Select the User to add, or click Expand List to display all users who share Safes with you (‘known users’), then click the arrow to move him to the Group Members list. Repeat this process to add each member of the Group.

     

    In the Selected User(s) window, you can also type in the name of a User.

  3. Click OK; the Group appears in the hierarchy list in the Users and Group window.

To add a member to an existing group:

  1. In the Users and Groups window, select the group to update, then click Update; the Update Group window appears.

  2. Click Add, the Add Members to Group window appears.

  3. Select the User to add to the group or type their name, then click the arrow to move him to the Group Members list. You can add as many Users as you wish.

  4. Click OK to return to the Update Group window and display the members of the group.

To remove a member of a group:

  1. In the Users and Groups window, select the Group that the user belong to, then click Update; the Update Group window appears.

  2. In the Members list, select the user to remove, then click Remove; a warning box appears prompting you for confirmation.

  3. Click Yes to remove the User from the Members list.

     

    Click Remove All to remove all the Users from the list.

Update group properties

You can rename and update other group properties.

To update the properties of a group:

  1. From the Tools menu, select Administrative Tools, and then Users and Groups, the Users and Groups window appears.

  2. In the hierarchy, select the Group to update, then click Update; the Update Group window appears.

  3. Add users to the Group or remove them, then click OK.

Group authorizations

Users who are members of several Groups that own the same Safe, will either have the authorizations of the first group that the user was added to, or a combination of the authorizations of all the groups that they belong to, depending on the ‘GroupMergeAlgorithm’ parameter in the DBParm.ini file, as follows:

DenyOverrides – Users will benefit from a combination of all the authorizations granted to all the groups to which they belong.
FirstApplicable – Users will benefit from the authorizations that are specified in the first group that they were added to as a member.

Users that are also independent Owners of the same Safe will benefit from the authorizations specified in their individual user accounts, and not from those specified in the group definitions.