cancel
Showing results for 
Search instead for 
Did you mean: 

Benefits of group membership suggestions

rnayakjc
JumpCloud Alumni
JumpCloud Alumni

Attribute-Driven Groups enable administrators to employ user attribute value conditions to govern the membership of user groups. ​​​​​This is instrumental in ensuring only the right users get authorized to a resource via being added to or removed from the group.

Conditions enable allow membership suggestions for the group based on rules using the operators and the below attributes we support.

  • Company
  • Cost Center
  • Department
  • Description
  • Employee Type
  • Job Title
  • Location

Benefits of Membership Suggestions.

  1. Provides insight as to whether users should be added to or removed from the group based on the defined conditions.
  2. Safeguards apps, databases, RADIUS servers, etc. by considering account attributes and other helpful parameters to grant or deny access.
  3. Enables determination of which user(s) can be categorized to be added or made an exception to the rule on a group.
  4. Clarify if a group no longer needs to be reviewed periodically, and enable automation over the group going forward.

Utilizing membership suggestions is a key step before trying to turn on the automation feature on the group. Furthermore, users that need to be excluded from the rule based suggestions can be added as an exemption as shown below. Enabling automation on the group predetermines if users need to be added /removed when they do not match the condition, in which case the action will be executed using Attribute-based access control and not manually, considering the exemptions in place.

BScott_0-1669924862029.jpeg

JumpCloud certainly encourages admins to use both manually adding users to groups on-demand and allowing attribute-based conditions to govern users that get included in the group. However it is advised that admins are mindful and intentional over which groups are better off with a suggestion on them. It is typical for admins to choose a suggestion-enabled group when it controls Administrative permissions on a device or custom roles on an application. Below is a quick comparison guide for using suggestions over groups.

Manual

Suggested

Users can be selected, added, and saved from the JumpCloud UI.

Users can be selected, added, and saved from the UI, but will have add or remove suggestions if they match the condition governed by the group.

Users will persist on the group after saving.

Users will persist in the group until an action is taken on the suggestion, i.e., added or removed.

No rules need to be applied or considered on a group that needs to be manual

Rules on the group are mandatory if you wish to initiate suggestions on the group.

An admin prefers to control the users typically associated as Super Admins using this group.

An Admin would like to review access on the users that get authorized using this group, typically associated with administrative permissions to devices and applications.

Suggestions do not allow for adding certain users to be exempted from the group.

Allows certain users to be exempted from the rule on the group by adding them to a list of exemptions.

Find the KB article here to learn illustrate how exemptions can be used over groups to satisfy varied use cases.

In our next post, we will walk through three user persona examples for which users can be removed, and ones that get added to a group based on enabled automation.

0 REPLIES 0