User groups

A User group is a logical grouping of endpoint users in Xshield. Endpoint users are end users who access applications in the Xaccess private network from their user assets (laptops or desktops managed using the User Access Xshield agent). End users are granted access to the applications using Xaccess policies. You must integrate your Identity Provider (IdP) solutions or Active Directories (ADs) and fetch the details of the end-user identities.

User groups can be created using one or more of the following rationale - mode of access (Remote or Local to the protected applications), the role of access (by specific groups or departments in the organization), and level of access (stringent or relaxed Xaccess policies).

User group - grouping criteria

User groups can be created based on one of the following criteria.

Criterion Description

Users

Users' metadata that is imported from the IdP or AD.

IdP/AD groups

Metadata imported for Groups (Security groups in Azure) or other equivalent native features of the IdP.   

IdP/AD departments

Metadata imported for Departments (Departments in AD) or other equivalent native features of the IdP. 

User groups

Other custom Xshield User groups

Dynamic grouping rules and equivalent features in the IdP affect group membership. We recommend that you evaluate the impact of using the IdP's native dynamic grouping features for the groups and departments you select for Xaccess policies.

User Groups page

All Xshield User groups in an instance are listed on the User, Groups & Departments > Groups page. You can see the following details of the User group - the number of users and type of group. Two types of User groups exist in Xshield.

  • Imported - these are User groups fetched from the IdP or AD.

  • Custom - these are User groups you create in Xshield by grouping the groups or departments fetched from the IdP or AD. See Examples.

Create custom User groups

Create custom User groups based on users, IdP User groups, IdP User departments, and even other custom User groups.

You cannot change the criteria used to create a custom User group after you create and save the group. Also, you cannot add users from IdP groups and departments to Local groups and vice-versa.

  1. Go to User, Groups & Departments > Groups.

  2. Click Create User Group.

  3. In the Name text box, enter a name for the Endpoint group.

  4. Add a useful description.

  5. In the Select Users area, select one of the following and the relevant metadata.

    • Users - the users' metadata fetched from the IdP integrated with the instance.

    • User Groups - the groups' metadata fetched from the IdP integrated with the instance. For example, the Security groups in Azure AD.

    • Departments - the business departments' metadata fetched from the IdP integrated with the instance. For example, the department attribute in Azure AD.

  6. Click Save.


Examples

Example 1: A custom User group Fixed endpoint users for Local users from the Contractors, Temporary employees, and Part-time employees IdP groups and another group Mobile endpoint users for Remote users from the Sales, Engineering, and HR IdP departments

Example 2: A custom User group Developer tools for users from the Dev and QA groups and another group Business utilities for users from all IdP groups.

Add to existing custom User groups

You can add Imported and Custom groups to an existing custom User group. Because Endpoint groups are made of User groups, adding User groups enables Xaccess policies for more users. 

If the existing Xaccess policies are enforced, the enforcement automatically applies to the new User groups added to a custom User group.

Edit custom User groups

Edit a custom User group when you want to modify the criteria for the User group. Modifying the criteria may add or remove users from the group. Also, User groups are associated with Endpoint groups and the relevant Xaccess policies. So, we recommend that you evaluate the impact of the change before you edit User groups.

  • On the User, Groups & Departments > Groups page, click a custom User group and click Edit in the fly panel.

Delete custom User groups and User departments

Delete custom User groups and/or User departments that you added to the instance when you no longer need them.

Before you delete a custom User group, you must remove all the users, groups, or departments in the User group. Also, if a deleted custom User group is part of an Endpoint group with enforced Xaccess policies, the relevant Xaccess policies are no longer applicable to the users, groups, or departments in the deleted User group.

  • Click a custom User group and click Delete in the fly panel.

Next steps

  • Group one or more User groups into an Endpoint group.

  • Create Access policies between Endpoint groups and Workload groups, Domain groups, and Network groups. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.