Manage members of a group

In this topic, you will learn how to automatically manage members of a group in Portnox™ Cloud based on groups and/or organizational units in Portnox Cloud and/or authentication repositories.

Before you begin, you must create a group in Portnox Cloud. To create a group and configure its basic settings, read the following topic: Create a group.

To understand what are groups in Portnox Cloud and how they work together with accounts and policies, read the following topic: What are groups in Portnox Cloud?.

There are two ways in which you can manage the relationships between accounts and groups in Portnox Cloud:

  • By assigning individual accounts to groups.

  • By mapping directory groups and/or organizational units to groups in Portnox Cloud.

  1. In the Cloud portal top menu, click on the Groups option.

  2. Click on the  ⋮  icon on the right-hand side of the selected group name and select the Group members option from the pop-up menu to begin the process of managing members of the selected group.

  3. In the right-hand side pane, click on the heading that represents the repository you want to work with.

    • CLEAR REPOSITORY: Assign accounts created in Portnox Cloud to this group. If you select this option, you will be working with individual accounts, not groups. For example, contractor accounts that represent external contractors or MAC-based accounts that represent IoT devices.
    • ACTIVE DIRECTORY: Map Active Directory groups, accounts, and/or organizational units to this group. To do this, first, you need to integrate Portnox Cloud with a local AD instance (see: Integrate with Active Directory).
    • AZURE AD: Map Entra ID (Azure Active Directory) groups, accounts, and/or organizational units to this group. To do this, first, you need to integrate Portnox Cloud with Azure AD/Entra ID (see: Integrate with Microsoft Entra ID).
    • GOOGLE WORKSPACE: Map Google Workspace groups and/or accounts to this group. To do this, first, you need to integrate Portnox Cloud with Google Workspace (see: Integrate with Google Workspace).
    • OKTA DIRECTORY: Map Okta Workforce Identity groups and/or accounts to this group. To do this, first, you need to integrate Portnox Cloud with Okta Workforce Identity (see: Integrate with Okta Wokforce Identity).
    • OPEN LDAP: Map OpenLDAP groups, accounts, and/or organizational units to this group. To do this, first, you need to integrate Portnox Cloud with a local OpenLDAP instance (see: Integrate with OpenLDAP).
    Note: The list will contain only those external repositories that you integrated Portnox Cloud with.
  4. Select the groups to map between the directory and this group.

    The left pane shows directory groups available for mapping to this group. The right pane shows directory groups that are mapped to this group.

    1. Click on checkboxes next to group names to select them.

      You can also start typing type name of the group in the search box on top of the pane. As you type, the list of group names shown in the panel will be restricted to only those that contain the text you are typing.

    2. Click on the right arrow or the left arrow symbol between panes to move selected groups between panes.
    3. If you made any changes, the following buttons will appear under the panes: Reset changes and Save. Click on the Save button to save your changes or click on the Reset changes button to cancel your changes.
  5. Optional: Click on the Switch view option and select View OUs or View accounts to map organizational units or individual accounts between the directory and this group.

    In addition to mapping by groups, you can also map individual user accounts or organizational units (OUs) to groups in Portnox Cloud.

    Organizational units are available only if you selected the Use OU-based mapping option when configuring your integration, and only for Azure Active Directory, local Active Directory, and OpenLDAP. Sub OUs are mapped along with primary OUs but in a flat structure, so we recommend using the search box to find a specific OU.

    If you did not turn on mapping based on organizational units or your directory does not allow mapping based on organizational units, instead of the Switch view option, you will see a View accounts option to switch directly to the accounts view.

    Important: If you select entries both from groups and organizational units, and some users are in both the selected groups and organizational units, when onboarding the user, Portnox Cloud will prioritize the authorization details of the group over those of the organizational unit. If you select individual accounts in addition to groups and/or organizational units, Cloud will prioritize individual accounts.
  6. Repeat the above steps for other authentication repositories if necessary.

Result: You mapped selected directory groups and/or organizational units to this group. The first time that each user from a mapped group or organizational unit authenticates with Portnox Cloud, Cloud will make an account representing this user.

Note: If you do not select the Allow life cycle synchronization option when setting up the integration, during synchronization Portnox Cloud will only add new users from the directory group or organizational unit and will not remove the accounts of users that are no longer in the directory group or organizational unit.
Note: If you move users between LDAP groups, the up-to-date group members will only be visible in Portnox Cloud after you click the Force sync link on your authentication repository setup screen (Settings > AUTHENTICATION REPOSITORIES > your integrated repository).