Create and Configure Groups

Create user groups and user accounts so that your BeyondInsight administrators can log in to BeyondInsight.

When a user is added to a group, the user is assigned the permissions assigned to the group.

User Management > Create New Group

You can create BeyondInsight local groups, as well as add Active Directory, Azure Active Directory, and LDAP groups into BeyondInsight.


Filter Groups on User Management Page

You can filter the groups displayed in the grid by type of group, name of the group, group description, and the date the group was last synchronized.


Change the number of items displayed per per on User Management > Groups page.

By default, the first 100 groups are displayed per page. You can change this by selecting a different number from the Items per page dropdown at the bottom of the grid.


Create a BeyondInsight Local Group

  1. Navigate to Configuration > Role Based Access > User Management.

Screenshot of Create a New Group in BeyondInsight

  1. Under Groups, click Create New Group.
  1. Select Create a New Group.


Screenshot of Create New Group

  1. Enter a Group Name and Description for the group.
  2. The group is set to Active (yes) by default. Click the toggle to set the group to Active (no) if you want to activate it later.
  3. Click Create Group.


Screenshot of selecting Users option under Group Details to add users to a group.

  1. Assign users to the group:
    • Under Group Details, select Users.
    • From the Show dropdown list, select Users not assigned.
    • Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.

    Screenshot of selecting users to add to a group.

    • Select the users you wish to add to the group, and then click Assign User


By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. For more information on permissions and how to assign them, please see Assign Group Permissions.

When a local user logs in to BeyondInsight for the first time using SAML authentication, BeyondInsight provisions their account by mapping it to the groups assigned to their account.

For releases prior to 21.3, and for upgrades to the 21.3 release, if the user account's group membership has changed (in the SAML claims provided) upon subsequent logins, BeyondInsight does not deprovision the user by removing them from the groups that were initially mapped to their account. Instead, BeyondInsight maps the user to any newly assigned groups, in addition to the groups their account is already mapped to.

You can configure BeyondInsight to synchronize group membership each time a local user logs in using SAML, as follows:

  1. Navigate to Configuration > Authentication Management > Authentication Options.
  2. Under SAML Logon for Local Users, toggle the Enable Group Resync option to enable it.

For new installs of release 21.3 and later releases, this option is enabled by default.