Create and configure groups

Create user groups and user accounts so that your BeyondInsight administrators can log in to BeyondInsight.

When a user is added to a group, the user is assigned the permissions assigned to the group.

User Management > Create New Group

You can create BeyondInsight local groups, as well as add Active Directory, Microsoft Entra ID, and LDAP groups into BeyondInsight.


You can filter the groups displayed in the grid by type of group, name of the group, group description, and the date the group was last synchronized.

Change the number of items displayed per per on User Management > Groups page.

By default, the first 100 groups are displayed per page. You can change this by selecting a different number from the Items per page dropdown at the bottom of the grid.


Create a BeyondInsight local group

To create a local group in BeyondInsight, follow the below steps:

  1. Navigate to Configuration > Role Based Access > User Management.

Create a New Group in BeyondInsight

  1. From the Groups tab, click + Create New Group.


  1. Select Create a New Group.


Create New Group

  1. Enter a Group Name and Description for the group.
  2. The group is set to Active by default. Check the box to deactivate it, if you prefer to activate it later.
  3. Click Create Group.


Group Details add unassigned users to group.

  1. Assign users to the group:
    • Under Group Details, select Users.
    • From the Show dropdown list, select Users not assigned.
    • Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.


    • Select the users you wish to add to the group, and then click Assign User above the grid.

By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group. For more information on permissions and how to assign them, please see Assign group permissions.

When a local user logs in to BeyondInsight for the first time using SAML authentication, BeyondInsight provisions their account by mapping it to the groups assigned to their account.

For releases prior to 21.3, and for upgrades to the 21.3 release, if the user account's group membership has changed (in the SAML claims provided) upon subsequent logins, BeyondInsight does not deprovision the user by removing them from the groups that were initially mapped to their account. Instead, BeyondInsight maps the user to any newly assigned groups, in addition to the groups their account is already mapped to.

You can configure BeyondInsight to synchronize group membership each time a local user logs in using SAML, as follows:

  1. Navigate to Configuration > Authentication Management > Authentication Options.
  2. Under SAML Logon for Local Users, toggle the Enable Group Resync option to enable it.

For new installs of release 21.3 and later releases, this option is enabled by default.