We now have an exciting new feature called User Groups! With User Groups, you are able to group many users within the same unit, and then using only that singular unit, apply it to several places within the portal such as Role-Based permissions, Customer Access, and Elevated Access. No more repetitive clicking of checkboxes, or completing the same action over an over again in a manual way. With User Groups, you set up the group, place the users within that group, and then apply it in one click. That's all!
Now, User Groups can be separated into two different classes:
- Custom User Groups
- Synced User Groups
Many of the concepts and features we will talk about in this article are shared between both types of groups. We'll first take a look Custom User Groups and where to find Groups altogether.
NOTE: This new feature comes with new roles found within Role-Based Permissions. In order to access User Groups and all related User Group functionality, you will need to have the proper permissions set. This is also outlined in the Role-Based Permissions section of this article. See below:
Custom User Groups
Locating User Groups
- Log into your Evo Portal
- Click on "My Company" (or locate a customer you'd like to create a User Group for)
- Notice on the Left Side Bar, we have a new option to select called Groups!
- Click on Groups to be brought to the Groups Page
This page will display any and all Groups you've created, and house Synced Groups from your AD (more information on this further in the article) But for now, let's focus on creating Custom User Groups within your environment.
Creating a User Group
- On the Groups Page, click the "Create New Group" button.
- Enter a Group Name and a description (optional) and click Confirm/Next Step
- Optionally, add users to the group you've created and click done.
You've now created your first User Group! Let's see how you could manipulate this within the Groups Page.
Editing a User Group
- Click on the Group you just created to Edit the group.
- You should now see a list of your users and some options.
- Clicking "Edit Name" at the top right will allow you to edit the name of your group.
- Clicking "Add Members" will allow you to add more members to your group.
- Clicking the red "person" icon at the end of the user will remove the user from the group
- Note: This will not delete the user, only remove the user from the group.
- Clicking the checkbox next to the user will reveal the Action dropdown menu with these options:
- Remove Members
- Convert to Admin
- Convert to user
- Turn MFA on
- Turn MFA off
- It is important to note that in order to complete any of these actions, your admin user must have the appropriate roles. Fortunately, you can use groups with Roles! Let's take a look at that now.
Adding a Role to a User Group
- On the User Groups page, click the Roles tab.
- You will now see the Roles Page within User Groups
- This page will display any and all Role groups applied to your User Group. Let's add a Role here so that this group and all users of this group has those permissions. Click Add Roles.
- Here, you will see a list of role you already have created within your environment. Select a role (or roles) you'd like to add and click Save Changes!
- Note: If you do not see Roles here, this means you have not created any Roles within Role-Based Permissions. Please reference https://support.evosecurity.com/hc/en-us/articles/5513533555483-How-do-I-add-edit-or-delete-role-based-permission-groups-
Your User Group will now have those Role(s) and all permissions that come with them, so any users belonging within that User Group inherit this! Pretty neat, right?
What if you do not want a User Group anymore? Well, deletion is easy!
Deleting a User Group
- On the User Groups Page, click the trashcan icon next to the group. This will trigger the deletion feature.
- Note: Do be aware, any users that belong to this group will no longer have any associations that the group belonged to, so any roles, permissions or access that was granted by being part of this group is no longer applied to those users. Again, this will not delete your users, but the group they belong to.
- Note: Do be aware, any users that belong to this group will no longer have any associations that the group belonged to, so any roles, permissions or access that was granted by being part of this group is no longer applied to those users. Again, this will not delete your users, but the group they belong to.
Now that we've gone over the User Groups Feature, let's take a look at the places within the portal where the User Groups can be applied. We'll start with Role-Based Permissions.
User Groups in Role-Based Permissions
If you are not familiar with Role-Based Permissions, please refer to https://support.evosecurity.com/hc/en-us/articles/5513533555483-How-do-I-add-edit-or-delete-role-based-permission-groups-
We've added the ability to add a User Group within the Role-Based Permissions Create and Edit flow, take a look!
- Log into your Evo Portal
- Click on "Access"
- On the Role-Based Permissions Page, click "Create New Role Group"
- Add a name and an optional description
- On the "Select Permissions" step, notice that there are new roles created specifically for User Groups
- Apply the roles you'd like and click "Next"
- You will now notice a new step, titled "Select User Group". Here, you can optionally apply which User Group you'd like to the role. Once finished, click next.
1. This is associated with the "Adding a Role to the User Group" section above. - On the Final Step, Select Administrators, optionally select any other admins you'd like to apply these roles to.
- Do take note, these separate admins do not belong to the User Group, but can also be applied to the role within the same flow.
The same functionality exists within Editing the Role-Based Permissions groups as well. Simply click on the Role Group you've created, head to the User Groups step, and remove/add any other groups you'd like! Let's take a look at another section where User Groups exist, the Customer Access feature.
User Groups in Customer Access
If you are not familiar with Customer Access, please refer to https://support.evosecurity.com/hc/en-us/articles/5870817965723-How-do-I-manage-my-customer-access-permissions-
With User Group implementation in Customer Access, this flow has changed slightly, so lets take a look.
- Log into your Evo Portal
- Click on "Access"
- Click on the "Customer Access Tab"
- Notice that your Customer Access Table has changed slightly
- You no longer need to select a Customer and then select the users. Now, this is done within a wizard flow.
- Click on a Customer to edit that access.
- You'll now notice a "Select Groups" step. On this step, you can now select which User Groups will be able to have access to that customer. So all users belonging to this User Group will be granted access. Optionally, select your user group(s), and click Next Step.
- Optionally, select any additional users to be granted access to this customer. Then click Complete.
You've now added Customer Access to a User Group! There's one final place where User Groups have been implemented, and that's Elevated Access. Let's head there now.
User Groups in Elevated Access
If you are not familiar with Elevated Access, please refer to https://support.evosecurity.com/hc/en-us/articles/5879794238363-How-do-I-add-or-edit-an-elevated-assignment-
The flow here is the same, but with an added User Groups step.
- Log into your Evo Portal
- Click on "Access"
- Select the "Elevated Access" Tab
- Click the "Create Assignment" button
- Select "All Customers" or "Select Customers" (to be more granular) and click next.
- Name your Elevated Access Assignment and click next.
- Select the Domain Account you'd like to assign to the Elevated Assignment and click next.
- If you are unfamiliar with Domain Accounts, please refer to How do I add, or edit a Domain Account?
- You will now notice the "User Groups" Step. As previous features, optionally apply any User Groups you'd like to the Elevated Access Assignment and click next.
- Note: Be sure that the User Group you are assigning to the Elevated Access Assignment has the role "Can be an Elevated Admin", so that they can actually Elevate. If this role is not applied, then the users that belong within this group will not be able to Elevate. Same for individual users that could be added.
- Note: Be sure that the User Group you are assigning to the Elevated Access Assignment has the role "Can be an Elevated Admin", so that they can actually Elevate. If this role is not applied, then the users that belong within this group will not be able to Elevate. Same for individual users that could be added.
- On the Final step, add any additional users you'd like to the Elevated Access Assignment and click complete.
You've now added User Groups to an Elevated Assignment! If you wish to Edit the Assignment, you can do so as you would previously, and you can reach the User Groups step to add/remove any User Groups as you would normally. Now that we've wrapped up Custom User Groups, let's take a look at Synced User Groups!
Synced User Groups
Synced User Groups function quite similarly to Custom User Groups, however the key difference here is that the group is controlled by the AD and NOT the Evo Portal. These Groups are synced directly from your AD and in conjunction with the LDAP agent when you specify which groups you would like to sync over. Let's take a deeper dive here to understand how this works.
Security Groups in AD
In your AD, you likely have many different Security Groups created, and you likely have many different members that belong to them. Here's an example list of Security Groups and Users.
Currently, when you install the LDAP agent, and use the LDAPS agent settings editor, it asks you which group(s) you would like to sync over. You select those group(s) and those corresponding users belonging to those group(s) will be Synced over and housed on the People Page. However, with this feature, we will be releasing a new LDAP agent that will now also pull over those Synced Groups to the Groups page! Take a look at an example LDAP agent and what it looks like on the Groups Page and their Users!
NOTE: This new LDAP agent will be installed over the top of your current LDAP agent. Please do not uninstall your current LDAP agent.
As you can see, this new group has the type "Synced" indicating it's being managed from the AD. So in the portal, you are not able to manipulate this group. All users here are managed from the AD, so any changes you'd like to make to this group you must change in the AD, re-sync, and you'll see those changes reflect. Creating, Editing, and Deleting Groups and/or users from these groups is not applicable here.
Applying Synced Groups with Roles, Access, and Elevation
The great thing about Synced Groups is that they function the same way as Custom User Groups! Please refer to the above appropriate steps to achieve what you are looking for:
That about wraps up the new User Groups feature! Let's now check out some FAQs about this feature that can clear up some confusion.
FAQ
Question: Can my users belong to multiple User Groups?
Answer: Yes! Your users can belong to multiple User Groups! There are no restrictions here! They will inherit any and all roles that are applied to these groups, and all these roles and permissions will be cumulative. The same can be said for Synced User Groups, as users can belong to multiple security groups here. However, you are unable to remove those users from the groups from the portal. This must be managed from the AD.
Question: Does this mean our users can also belong to multiple Role groups?
Answer: Yes! We have removed the restriction that users can only belong to one role group. Users now can belong to multiple Role groups.
Question: Can I sync over nested groups?
Answer: Yes, however they will appear as "flat" groups in the portal on the Groups page. In the following screenshot, the group "spam10" is a nested group within "EvoSync1", however, they will appear as separate groups. If you were to unsync "EvoSync1", the group "spam10" will also be unsynced.
Question: So this means users that belong in nested groups also appear as users in the "parent" group?
Answer: Yes! Please refer to the first question in the FAQ.