cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Automation on user groups

rnayakjc
JumpCloud Alumni
JumpCloud Alumni

In our previous post, we discussed how users could be added or removed from a group based on  suggestions. This approach works well on groups that are used for admin privileges on a device or a custom role that needs to be provisioned for an application. However, there may be groups in your environment for which you would prefer automated provisioning. JumpCloud is introducing  Automated Group Membership as a feature in Beta. With this feature, you may choose to automate certain base-level accesses using groups and still continue to review groups that control higher privileges with a controlled setting on the group. 

However, this feature raises some questions:

  1. Can I still continue to add users manually to these automated groups?
  2. Does automation apply to all users present in a group? What about users already present in the group?
  3. Should I add users that need access to the group or the ones that do not need access to the group as an exemption to the automated group?
  4. What happens to the automated group when I switch back to suggestions?

With the below scenarios, I would like to walk through how to help determine if users would remain part of the group 

  • Jason is bound to the Denver group but has recently relocated to Chicago. He still needs certain resources that are associated with the Denver group. If Jason is added to the User Exemption List, he will remain in the group though his Location has changed from โ€œDenverโ€ to โ€œChicago.โ€ If he is not added to the User Exemption List, Jason will be instantly removed from the Denver group when the admin updates his Location in User Details.
  • Mark is bound to the Denver group, and his Location is โ€œDenver.โ€ He will stay in the group regardless of the User Exemption List.
  • Stacy is not bound to the Denver group. If Stacy is added to the User Exemption List, she will never be added to the Denver group. If Stacy is not added to the User Exemption List, she will be instantly added to the Denver group when the admin adds โ€œDenverโ€ as her location.

rnayakjc_0-1670529696141.png

 

Depending on the attribute associated with the user they would remain in,  or be removed from the automated group. Exemptions provide guard-rails around who must stay in or be removed from a group if the user does not contain the attribute governed for the group. This should be applied with extreme discretion, for example  in scenarios where users should get access to a certain resource for troubleshooting or if temporary access is required for a previously existing user from a group. Currently, JumpCloud places  a limit of 25 exceptions per group. In the case of a user having the attribute governed by the group, an exemption will actually remove the user from the group, as seen in the above scenario for Stacy when added as an exemption with location=Denver. Below we answer the frequently asked questions you posed: 

  1. Can I still add users manually to these automated groups? - Yes, you can still add users manually to these automated groups. They will persist if their attributes match the governing criteria of the group and exemption rules for the group.
  2. Does automation apply to all users present in a group? get automated? What about the users already present in the group? - All users in the group previously, currently, or in the future would be subject to automation.
  3. Should I add users that need access to the group or the ones that do not need access to the group as an exemption to the automated group? - We suggest adding users that need access and do not match the governing condition on the group to be added as an exemption. 
  4. What happens to the automated group when switched back to suggestions? - The group will provide suggested users going forward, with no change to already-applied group members.
  5. Can the exemption limit be increased on the group? - Contact us if you need this.

In the future, we will use distinct states of Automated, Suggested, and Manual as settings on a group to be determined before you would like to set a rule for the group so that admins can set these based on the resources they authorize with intent and clarity. Watch this space for more developments in Smart Authorization using groups.

You can find more details about how to use this feature in the KB doc here.

4 REPLIES 4

gabrieldmeida
Novitiate I

Hi.

I've tried the setup, but I still need help. Is it possible when adding a user I don't need to click on the "Updated affiliation suggestion" option?

The idea is that when I add a user in Jumpcloud, it will automatically be included in the groups (without having to click on this option).

It's possible?

gabrieldmeida_0-1672277937642.png

 

 

rnayakjc
JumpCloud Alumni
JumpCloud Alumni

You can choose to select the automation membership suggestion ON over the group, this toggle can be found on the user tab of the group. 

rnayakjc_1-1672331959095.png

Once turned on, you would not be needed to review the suggestions as desired.

 

Hi,

The option "Automate Membership Suggestions On" not is viewer in my painel.

gabrieldmeida_0-1672673420411.png

 

This feature is in beta. Can you reach out to your Account Manager to have it enabled in your organization?