Groups
Groups are defined subsets of users or groups. Groups can be created manually or imported. They are also created automatically when importing users.
NOTES:
- Limit the amount of groups to max 750. The amount of groups influences the performance of the system.
- Although you can nest groups, we strongly advise you to limit this to the absolute minimum.
Assign a role
When you edit or create a new group, you need to assign one or more roles. Assign roles to a group to give the members specific permission on the system e.g. give the student group the member role. And create a group teachers with the moderator role.
Select a role in the left column and click on >> to assign the role to the (new) group. Click Add to commit your work, or continue with Members to add members.
Add members
Select the tab members and click Add to add members or groups to this group.
Select group or user and start typing in the Name field. Existing groups/members will be suggested.
Extended permissions
In version 6.1 the extended permissions were introduced. Select a user and click on Extended premissions.
Now you can select if the member can add and/or remove group members.
You can recognize users with extended permissions via the icon on the right side.
Users with extended permissions will get to see the Administration menu - User management.
Import groups
Create or download an example csv file in the following format to bulk import/create users into groups.
group,role,username,isgroup,action
group1,member,user1,FALSE,import
group1,member;publisher,user2,FALSE,delete
group1,member,||6e5ffbfe-404b-4b2c-91c2-888f250a2fa0,FALSE,import
group2,member;publisher,||469a1875-dbcc-475c-8560-66c16dfe46d7,FALSE,delete
group1,,||userid,FALSE,delete
group1,,group2,TRUE,import
group1,,group3,TRUE,delete
group1,,group4,TRUE,delete
group2,,*,,delete
NOTE: The last line in the example above will delete all users from the group
Use the isgroup parameter to create groups into groups. Groups that are not yet registered will automatically be created.
In saml mode identifying users based on username or email address might not always uniquely identify the user. That’s why we use Username, Email address and eduPersonTargetedID. This means you can use either username, or username and email address or eduPersonTargetedID and username and email address in the username column.
So:
Group,role,Username,isgroup
Group,role1;role2,Username|emailaddress,isgroup
Group,role2,EdupersonTargetedID|Username|emailaddress,isgroup
If you are in a federated environment and allow access to users from other organizations en you cannot guarantee that these users one unique email address per organization (for example if organizations allow Hotmail address), you should also use EdupersonTargetedID in your csv files.
NOTE: SAML authenticated servers need to add additional information when removing users in bulk. Since the unique username is now a combination of 3 attributes.
E.g.:
group1,member,| |uid01,false,delete
group2,member,|email@address.eu|,false,delete
group3,publisher,ae234356f2123bbc6395339c364cdba5674cd1fc||, false,delete
Automatic groups in SAML2
If you use SAML2 as authentication provider, you can use the eduPersonAffiliation attribute to grant membership of groups based on the affiliation. Affiliation attributes often used (eg. In OpenConext) are “Employee” and “Student”.
When you create a group affiliation.Employee, a user logging in with the eduPersonAffiliation attribute set to Employee, will automatically become member of that group. Similar you can use the group affiliation.Student to detect users with the eduPersonAffiliation attribute set to Student.
Like Authenticated Users and Anonymous users groups, membership of that group is automatic and you don't have to add users in that group.