User Groups functionality is implemented to enable easy privilege assigning to larger quantities of user and login based on AD group membership.
DM Documentation – User Groups
User Groups functionality is implemented to enable easy privilege assigning to larger quantities of user and login based on AD group membership. There two types of groups that can be created:
- Entra Groups (Active Directory) – members are defined by groups membership in Entra Groups
- Manual – group membership is based on DM´s database and manually assigned by the administrator for that customer
How to access the User and Group list?
User list UI has been changed to accommodate the new functionality. It now displays both the users and groups. In addition, a new column has been added to show the groups that the user is a member of (this works only for manual groups).
Creating groups
Create User button has been replaced by a dropdown that can be now used to add a User or a Group.
A prompt will appear asking for the group´s name. Enter the chosen name and hit Next. This will result in creating the group in the central database when logged in to cloud instances of DM.
Note: you cannot create multiple groups with the same name
Use the next screen to select the group type, add members if this is a manual group.
Select the second tab to access the permissions. These will apply to all members of the group and will not replace their own permissions.
Understanding group permissions
If a user is already a contributor to Table A and the group will have its privilege level for Table A set to viewer, the original user permission will take priority and the user will still remain a contributor to Table A.
In a similar case, if the group permissions make the user an admin to Table A, the group permission will take priority and the user will have admin permissions instead of the individually assigned contributor permission.
Manual Groups – Members
To add new members to a manual group use the field (token edit) below the Entra Group/Manual radio selector. You can search for users by typing the name. The list on the right will be updated and will correspond to the selected values in the token edit.
Microsoft Entra Groups (Active Directory Groups) - Members
In Entra Groups members are defined by their membership setup in the Active Directory. An example of a way to manage Entra Group members is to login via the Microsoft Azure Portal.
To make that group a part of DM and assign privileges, just select the group type, set up the permissions and save the changes.
Note: To setup Entra Groups the administrator account used should be an Entra User itself.
Members will have access to projects the group has access to as long as they have been listed as part of that AD (Entra ID) group.
If the Entra Group has been saved it will be impossible to change the group selected or change it to a manual group.
Deleting Groups
The general process for removal is identical for the most part for all group types. Select the group from the list and press the trashcan icon in the upper right corner, above the list. A prompt will appear asking for confirmation.
However, in case of manual groups it is required to remove members from the group manually before deleting the group. A prompt will appear warning of members still assigned to the group in case this has not been done before.
Multiple Group Membership
There is no limit on group membership per user. Each user can be or not, a member of as many groups as necessary. The permissions are compared between both groups themselves and individual settings per user. As a result, the user will always get the highest available permissions in every login session.
Additional remarks
- Group permissions are updated during login phase at application start-up. Please remember that removing permissions or group memberships will not result in immediate removal of those from the users.
- It is possible to create only one AD group in DM per GroupId in Microsoft Entra ID. This means that one Entra Group can be only be used once.
- Currently it is impossible to display user group names of type Entra in the user list (Group column).