Group membership
A user can be a member of more than one group. The user obtains membership in a group either explicitly or by reference.
An administrator, or another user with the appropriate permissions, can explicitly assign a user to a group. If automatic population of groups is enabled, we can also cause a user to become a group member. You reference the user as the manager of another user or as the owner of a service. We can assign group members using the Manage Group tasks on the user interface portfolio. We can also edit ISIM account profile of a specific user. Ensure that a member of multiple groups does not receive accidental access to some tasks that fall outside the intended scope for the user..
Not all users gain automatic membership in groups, as described in Table 1.
User given this relationship Automatically assigned to default group* Manager of a user Manager Supervisor of a business unit Not automatic Owner of a service Service owner *If the property is enabled to automatically populate groups. Additional conditions apply.
- Having no IBM Security Identity Manager account does not prevent a person from being specified as service owner or supervisor. However, no IBM Security Identity Manager account is created or put in a default group. If that service owner or supervisor later obtains an ISIM account, the account is not automatically put in a default group. We must create or modify a service or a user who is a subordinate.
- A person who has an ISIM account becomes a user. Removing the user as manager of all subordinates, or removing the user as owner of all services, does not remove ISIM account. Removing the user as manager of all subordinates does not remove the user from a default group, such as the Manager group. Updating the manager attribute in the personal profile of a subordinate to reference a different manager does not remove the previously referenced user from the Manager group. Updating the manager attribute in the personal profile of a subordinate to reference no one, does not remove the previously referenced user from the Manager group. We can explicitly remove a user from the Manager group. The member is automatically removed from the group only when the user record is deleted.
- We can explicitly remove the user from a group and then update a user's personal profile again to reference the user as their manager. The referenced user again becomes a member in the Manager group.
Parent topic: Group management issues