Edit and Delete Groups

The below sections detail how to make basic edits to the settings and options of BeyondInsight local groups, Active Directory groups, Entra ID groups, and LDAP groups using the Edit Group functionality, as well as how to update more advanced group details such as assigning permissions, updating group members, and managing API registrations.

Edit Basic Group Details

Administrators can edit the following basic details for groups in BeyondInsight:

BeyondInsight Local Groups

  • For BeyondInsight local groups, administrators can update the following:
    • Deactivate or activate a group by enabling or disabling the Active status.
    • Modify the Group Name.
    • Modify the Description.

Active Directory Groups

For Active Directory groups, administrators can update the following:

  • Deactivate or activate a group by enabling or disabling the Active status.
  • Change the credential used to query the group in Active Directory.
  • Select a new domain or domain controller used for accessing the group in Active Directory.
  • Enable or disable the option to propagate domain changes to all members of the group.
  • Select Sync Schedule Options to control how the user accounts in this group are automatically synchronized on a periodic schedule. The following options are available:
    • Global: This is the default setting which uses the schedule settings specified in the Active Directory Group Synchronization configuration section.
    • Custom: Select Custom to ignore the global synchronization schedule and specify a unique synchronization schedule for this group instead.
    • No Custom or Global: Select this option to omit this group from any automatic synchronization. The group can still be synchronized manually.

Entra ID Groups

  • For Entra ID groups, administrators can update the following:
    • Deactivate or activate a group by enabling or disabling the Active status.

LDAP Groups

  • For LDAP groups, administrators can update the following:
    • Deactivate or activate a group by enabling or disabling the Active status.
    • Change the credential used to query the group in LDAP.
    • Select a new Group Membership attribute from the list. The following options are available:
      • member
      • uniqueMember (default)
      • memberUID
    • Select a new Account Naming attribute from the list. The following options are available:
      • mail
      • cn
      • sAMAccountName
      • uid
      • userPrincipalName
    • Edit the Base Distinguished Name.

To edit a group in BeyondInsight:

  1. Navigate to Configuration > Role Based Access > User Management.
  1. From the Groups tab, locate the group using the available filter options above the grid and select it.
  2. Click the vertical ellipsis for the group, and then select Edit Group.
  3. In the Edit Group pane, update the details as required, and then click Update Group.

For more information on configuring Active Directory Group Synchronization settings, please see Configure Active Directory Group Synchronization.

Edit Advanced Group Details

Administrators can edit the following advanced details for groups:

  • Update the group permissions for specific BeyondInsight and Password Safe features.
  • Update the group permissions for specific Smart Groups.
  • Edit Password Safe roles for Smart Groups
  • Add and remove users from local groups.
  • Manually synchronize group users for Active Directory and LDAP groups.
  • Enable and disable API Registrations for the group.

Follow these steps to access advanced details for a group:

  1. Navigate to Configuration > Role Based Access > User Management.
  1. From the Groups tab, locate the group using the available filter options above the grid and select it.
  2. Click the vertical ellipsis for the group, and then select View Group Details.
  3. From the Group Details pane, you can select Features, Smart Groups, Users, and API Registrations to make updates for the group. Specific updates you can make for each of these options are detailed in the below sections.

Update Group Permissions for Features

Permissions provide the members of the group access to BeyondInsight system components and Password Safe features. Assign permissions to groups for specific features, as follows:

  1. From the Group Details pane, click Features.
  2. From the Features grid, select the feature.
  3. Click Assign Permissions above the grid.
  4. Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Update Group Permissions for Smart Groups

Assign permissions to groups to provide members of the group access to smart groups as follows:

  1. From the Group Details pane, click Smart Groups.
  2. From the Smart Groups grid, select the Smart Group.
  3. Click Assign Permissions above the grid.
  4. Click Assign Permissions Read Only, Assign Permissions Full Control, or Disable Permissions.

Edit Password Safe Roles for Smart Groups

Password Safe roles define the actions users can take when using the Password Safe web portal for password releases or access to applications. Assign Password Safe roles to groups as follows:

  1. From the Group Details pane, click Smart Groups.
  2. From the Smart Groups grid, click the vertical ellipsis for the Smart Group.
  3. Select Edit Password Safe Roles.
  4. Check or uncheck each role, as required.
  5. Click Save Roles.

Add Users to Local BeyondInsight Groups

Manually add users to local groups in BeyondInsight as follows:

  1. From the Group Details pane, click Users.
  2. Filter the Users grid to show users not assigned.
  3. Select the user or users, and then click Assign User above the grid.

Sync Group Users for Active Directory and LDAP Groups

To ensure your AD and LDAP groups contain the most recent group members, you can manually synchronize with AD and LDAP to retrieve the group's users. There are two methods for manually synchronizing group users, as follows:

  • From the group header, above the Group Details pane, click the Sync group users icon.
  • From the User Management page, click the vertical ellipsis for the group and select Sync group users.

Manage Group API Registrations

API Registrations provide a way to integrate part of the BeyondInsight and Password Safe functionality into your applications using an API key. Manage API registrations for groups as follows:

  1. From the Group Details pane, click API Registrations.
  2. Check or uncheck the API registrations to enable or disable them for this group or click Select All to enable all of them. Changes are automatically saved.

Use the filter above the list to narrow down the list of API registrations or to quickly find a specific registration by its name. If you need to create a new API registration, click the Manage API Registrations link above the filter box to go to the API Registrations page where you can create a new one.

For more detailed information on features permissions, Password Safe roles, and API registrations, please see the following:

 

Delete a Group

Groups associated with a secret or credential in Secrets Safe cannot be deleted. Users attempting this action receive the following warning:

Unable to delete group, as it contains secrets which must first be removed.

Administrators can delete groups as follows:

  1. Navigate to Configuration > Role Based Access > User Management.
  1. From the Groups tab, locate the group using the available filter options above the grid and select it.
  2. Click the Delete button above the grid.
    • Alternatively, click the vertical ellipsis for the group, and then select Delete Group.