Use the Groups tab to create or delete groups and subgroups, assign users to them, associate them with specific Access Control permissions, define group attributes, and specify group membership behavior. As mentioned in the conceptual discussion earlier in this chapter, Groups are key to modeling your organization and granting or denying access to various resources to several users.

Here is how the Groups dialog might look at your site before any major Access Control configuration.

Out of the box, you will see four system-defined groups:

The lower-case names in parenthesis are the system equivalent names that you would specify if importing/exporting groups via spreadsheet. ("Import and Export" above).

These system-defined groups have the following default settings:

When an admin edits the group membership type for an existing group and enters a different type, the following rules should apply.

Note that you can only edit the name or the Group Membership setting with this button. To edit the Permissions, Members, or Attributes of a group or sub-group, select it and use the panes on the right side of the window. Further note that you cannot edit the All Users or Super Users groups at all, and only the Group Membership setting for System Admins and VPE Admins.

Note that you cannot delete any of the four system-defined groups (All Users, System Admins, Super Users, or VPE Admins).

This setting determines how user are associated with groups:

Note that for LDAP connections to have the System Admin and VPE Admin options available for the Sync Admin Group Membership settings (see To add a new LDAP connection), these groups must be set to Manual here.

The Associated Permissions pane displays the permissions that currently apply to the selected group. In the screen shot above, all permissions shown are the system-defined permissions available Out-of-Box , as identified by the "ap." naming prefix.

The Members pane displays the users who belong to the selected group.

The Attributes pane allows you to define, associate, and remove attribute/value pairs for the selected group. To create a new attribute, double-click the Name field for the first unpopulated row and enter a name for the attribute. Double-click the Type field to display a pull-down menu from which you can select string for text, double for numeric values, Boolean for true/false values, or list for semi-colon-separated strings. Double-click the Value field to enter the value of the attribute.

An example of using the list attribute would be to create a list of VPEs to which the group should have access, such as setting attribute "AC_VPEs" to:

aPriori China; aPriori USA; aPriori Mexico

This could then be used by an Access Control administrator to write a rule similar to:

When done, click the Publish icon to save the new attribute and make it available to other groups.

Note that group attributes are separate from User Defined Attributes (UDAs) which apply only to component scenarios. However, you can manually coordinate group attributes with UDAs. For example, if you implement a region-based Access Control model, you might create both a group attribute and a UDA named "Region" and set them to values such as "NA" for "North America" or "EMEA" for "Europe, Middle East, and Africa". Once defined, you can then create permission rules that ensure that members of a group with the "Region" group attribute set to "NA" can only access component scenarios. You must ensure that you implement the names and values EXACTLY so that rule comparisons return valid results.