User Group is a feature that allows administrators to manage and organize users by grouping them based on their preferences. These groups can be created manually by administrators or automatically provisioned from SCIM-based identity providers such as Microsoft Entra ID or Okta. The User Group page displays a list of these groups, providing an overview, configuration, and management options.
Some benefits of the User Groups are:
Enhanced Security - No token or read permission of directories is required.
Real-Time Access Updates - Whenever a new location or door is added, users will receive access in real-time without the need for manual updates.
Simplified Access Management - As the number of locations and sites increases, managing rules can be complex and time-consuming. User groups eliminate the need to write rules for each location, making it simple to manage and provide access.
User Provisioning/Deprovisioning - Immediate provisioning and de-provisioning occur when a user is added or deleted from identity providers, or unassigned from the Genea app, ensuring access is updated.
Easy Bulk Assignment - With user groups, you can quickly assign physical access, roles, and mobile access to all members. This streamlined process makes managing access at scale effortless, saving you time and reducing administrative workload.
For assistance with enabling the User Group feature, please reach out to the Genea Support Team.
User Group Page
The User Group page displays a list of the User Groups created or pushed in the Genea web application. These groups can be created manually or pushed from directories.
The User Group menu is available under User Management of both Location and Global Overview.
Key information provided includes:
Managed By: Indicates the directory through which the User Group was pushed through Identity providers or was created manually by the Administrator.
Created By: Shows the user who initially created the User Group.
Updated By: Displays the user who last updated the User Group.
Members Count: Provides the total number of members within each User Group.
Actions: Offers options for managing User Groups, such as editing group names or deleting the User Group.
User Groups managed through directories cannot be edited or deleted from the Genea web application.
Users can filter the list based on the User Group description or Managed by.
The user can sort the columns as per their preference as well.
Note: User Groups pushed from directories cannot be deleted or renamed, ensuring data integrity and consistency across integrated systems.
Maintenance Mode
By default, Maintenance Mode is turned 'ON', meaning configurations made within User Groups are/will not sync with the members of the respective User Groups. The toggle button must be turned off to synchronize configurations with User Group members.
When the Maintenance Mode is turned off a pop-up will appear notifying users that this action will synchronize the configuration with the members of the respective User Groups. This action cannot be undone. Before proceeding, users are required to download the report and acknowledge it.
Note: It is highly recommended that you review this report thoroughly before proceeding further. This process ensures transparency and allows users to validate changes before turning off the Maintenance Mode of the User Group.
Quick Reporting
The Reports option provides three functionalities: Download now, Schedule Download, or Email the report.
Configuration Section
Each User Group includes two sections: one for configurations and another for adding and viewing members within the User Group. Upon selecting a User Group, the Configuration section opens by default based on the user permissions.
Under each User Group, configurations include assigning Physical Access, Administrative Roles, and Mobile Access.
Physical Access Assignment
To configure the Physical Access, follow the below steps:
Step 1: To assign Physical Access, click on the 'Add' button.
Step 2: A list of Unassigned Physical Access options will be displayed.
Step 3: Select multiple Physical Access across multiple locations and click 'Save' to add them to the User Group.
The list of Physical Access will be displayed, and user can remove the Physical Access from the table as well.
Administrative Role Assignment
Users can be assigned a single role at multiple locations using this configuration.
Step 1: Click on ‘Add’ to assign a role.
Step 2: A side panel will open. Select the role from the dropdown menu and then choose the locations where the role is to be assigned. Click on ‘Save and Close’.
Role Conflict:
When a user belongs to multiple User Groups with conflicting roles, conflicts are resolved based on role hierarchy and creation time.
Resolution Criteria:
Role Hierarchy: Roles are prioritized by their hierarchical rank, where lower numbers indicate higher priority (e.g., Rank 0 > Rank 1 > Rank 2 > Rank 3).
Creation Time: If conflicting roles share the same rank, the role that was created earlier takes precedence.
Example Scenario:
Consider John, a security officer in London, who is promoted to the Operations Team while maintaining his security responsibilities. John is part of both the Security User Group and Operations User Group. He is assigned a Security role through the Security User Group and an Operation Manager role through the Operations User Group in London. Both roles are ranked as Rank 2. So, the role conflicts are resolved by assigning the Security role due to its earlier creation.
If the Operation Manager role is ranked as Rank 1, then the Operation Manager role takes precedence due to its higher rank in the hierarchy.
Mobile Keys Management
This process assigns mobile keys, such as App-Based or Mobile Wallet keys to members of the User Group.
Note: To use this feature, HID Wallet keys must be integrated. Disabling these keys will not affect existing App-Based keys or Mobile Wallets, which will remain unchanged.
Member Section:
From this page, the members can be added or removed from to the User Group.
Users cannot add or delete members of User Groups managed through Okta or Microsoft Entra ID. Changes to the membership can be made through the respective directories only.
Users can filter the members based on various attributes like Department, Name, Email, and more.
User Group Permissions in Custom Role
Once the customer support team has enabled the User Group, navigate to the Custom Roles section. A new permission for User Groups will be available, and by default, this permission is set to 'No Access'.
Within User Group permissions, there are two main resource permissions: Configurations and Members.
Configuration Permission
To view the User Group list page, Physical Access, Portal Access, or Mobile Access, users must have at least 'Read' permissions of Configurations.
Dependency on Other Resource Permissions:
The permissions for User Groups have dependencies on other resources. Enabling 'Full Access' for Configurations or both Configurations & Members automatically enables User Management and User Management - Advanced permissions.
Member Permission
Member permissions are interdependent with Configuration permissions. Specifically, if Configuration permissions are set to 'No Access', Members permissions cannot be enabled separately.
If Members permission is set to 'No Access', the 'Member' tab will be hidden and inaccessible.
Menu Management: The User Group menu will only be visible when the menu management toggle button is enabled in the permissions settings.
Granular-level permissions have been introduced for Membership management. The admin is now required to select the specific User Groups for which each role is permitted to add membership in the selected User Groups.
The 'Members' resource link will become clickable when the user selects the "Full Access" option.
Clicking the 'Members' link will open a side panel where users can select User Groups from a dropdown menu.
Note: Only User Groups created by Administrators will be visible in the list. Memberships for directory-managed User Groups will be handled through the respective directory.
Directory Integration
1. Okta
Okta + Genea Integration
Previously, users needed to generate an Okta token to integrate directories with Genea. Now, with the User Group feature, this process has been simplified. Users only need to copy and paste the Genea token into the 'Genea Access Control' App of the Okta dashboard.
Login to the Genea Web application and go to Integrations.
Find Okta and click 'Install.'
Follow these steps to integrate Okta with Genea using the Okta Integration Token:
Step 1: Generate an Okta Integration Token
You will be assigned a secured token for your Okta provisioning integration. Please copy this token as you will need it in the next step when we copy it onto your Okta web application.
Step 2: Configure your Okta Application
Login to your Okta account as an admin.
Go to Admin-> Applications -> Search for 'Genea Access Control' Application in 'Browse for Catalog' -> Click on 'Add Integration'.
Step 3: Configure API Integration
Navigate to the 'Provisioning' tab in the Genea Access Control Application and click on the 'Integration' settings.
Click on 'Edit' for the configuration.
Edit the App provisioning options and make sure that Create Users, Update User Attributes, and Deactivate Users are all enabled (boxes checked).
Click 'Save' at the bottom of the provisioning page.
User Provisioning from Okta to Genea and Membership Management
Step 1: Log in to Okta Admin Console: Access your Okta Admin Console using your administrative credentials.
Step 2: Add/Create a Genea Application Assignment Group:
To create a new group, navigate to 'Groups' in the Directory Option. Click 'Add Group' and enter the necessary details.
Step 3: Assign Group to the Genea Access Control Application in Okta
In Okta, click the Assignments tab in the Genea Access Control application. Select the group (e.g. Genea Security - Users) you want to provision to the Genea application.
Step 3: Add/Create Push Groups:
To manage user memberships in Genea, create new groups in Okta based on roles or departments. To push these groups to Genea, click on the Push Group tab and then 'Find groups by name. Search and select the group (e.g. Genea Marketing or Genea IT Admin) and click on 'Save'.
Review to make sure the selected groups are pushed into Genea and are visible on the 'User Group' page.
Users must be provisioned to the 'Genea Access Control' application to appear in Genea. Pushing a group does not sync any users, it only creates the User Group in Genea.
Managing Groups for Genea Web Application
To manage user access and provisioning effectively for the Genea web application, it is essential to utilize two distinct types of Groups.
1. Application Assignment Group
Objective: This group should be used to provision users to the Genea.
Procedure:
Create a Group in Okta: Create a new group (e.g. Genea Security - Users) with a name indicating its purpose.
Add Users: Include all users who need to be provisioned in the Genea.
Assign Genea Application: Assign the 'Genea Access Control' application to this group to provision users in the Genea.
2. Push Groups
Objective: These groups are used for organizing users based on their roles or departments, such as Marketing or IT Admin. Use these groups to manage access within Genea.
Procedure:
Create Groups in Okta: Create groups based on specific roles or departments within your organization in Okta.
Add Members: Assign relevant users to these groups based on your organizational operations.
Push the Groups to Genea: Ensure these groups are pushed to Genea using Push Group functionality.
Users must be provisioned to the 'Genea Access Control' application to appear in Genea. Pushing a group does not sync any users, it only creates the User Group in Genea.
2. Microsoft Entra ID
Login to the Genea Web application and go to Integrations.
Find Microsoft Entra ID and click 'Install'.
Follow these steps to integrate Microsoft Entra ID with Genea using the Genea integration token:
Step 1: Generate a Microsoft Entra ID Integration Token
You will be assigned a secured token for your Microsoft Entra ID provisioning integration. Please copy this token as you will need it in the next step when we copy it onto your Microsoft Entra web application.
Step 2: Configure your Microsoft Entra ID portal
Sign in to the Microsoft Entra ID portal.
Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
Select 'New Application' > 'Create Your Own Application.'
Enter a name for your application, and select Non-gallery application option and click on 'Create'.
On the resulting screen, select the 'Provisioning' tab in the left column.
On the Provisioning Mode menu, select 'Automatic.'
In the Tenant URL field, enter the URL : https://scim-api.sequr.io/scim/v2
Copy and paste the Genea Integration token into the 'Secret Token' field.
Click the 'Test Connection' button to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If the attempts fail, the error information will be displayed.
If the attempt to connect to the application succeeds, then click 'Save' to save the admin credentials.
11. Under Settings, the Scope field defines which users and/or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and Groups tab.
12. Once your configuration is complete, change the 'Provisioning Status' to 'On.'
13. Click 'Save' to start the Microsoft Entra ID provisioning service.
Provision Groups from Microsoft Entra ID to Genea
1. Sign in to the Microsoft Entra portal.
2. Browse to 'Microsoft Entra ID' > 'Identity' > 'All Applications' > 'Enterprise Applications.'
3. Select your application, and then go to the 'Users and groups' and click on '+Add user/group' to add a group to the respective application.
The automatic Microsoft Entra ID provisioning service typically runs every 40 minutes. If you need to provision a user group immediately, you can use the 'Provision on-demand' functionality. This allows you to create the group within seconds.
User Group-enabled customers will be able to install Okta and Microsoft Entra ID only. Other integrations like GSuite, LDAP, OneLogin, and Transact will be unavailable for installation.
User Role Hierarchy
The hierarchy of the User role has been changed from Level 3 to Level 4. Administrators will not be able to clone, edit, or delete this role. Additionally, the option to create a new role at Level 4 is not available.
Note: This change will be visible to User Group-enabled customers only.
User Group API Keys
API keys are created for both Configuration and Memberships. These keys will allow your customized application to authenticate and access the User Group resources of Genea.
To create User Group Key, follow the steps mentioned in this article.
If the User Group is enabled for your account and you are utilizing the User APIs for your solution, you should use the newer version of the User APIs v2.1. For detailed documentation, please refer to the API Documentation.
If you want to grant Additional Physical Access to the user, utilize Additional Physical Access APIs.
User Creation Flow
Previously, assigning an Access Group, Role, and Location was mandatory for user creation and activation. Now, Location assignment is no longer required. Users can be created by simply providing the Name, Email, and User Group(optional).
User Groups managed through directories will appear in a disabled state and cannot be selected. Only User Groups created manually within the Genea web application are available for selection.
New Changes in User Profile
User Group table
Within the User Profile, the User Group table displays the list of User Groups to which the respective user belongs. The table will be displayed based on the User Group permissions.
Users with appropriate permissions can manage their User Groups, including adding and removing themselves from the User Groups.
Note: User Groups managed through directories will appear in a disabled state and cannot be selected. Only User Groups created manually within the Genea web application are available for selection.
Additional Access
Additional access may be required for various reasons, such as when a user needs to temporarily access different locations, or specific access group. This can include scenarios like project-based work, or temporary assignments.
Users can be granted additional access beyond the permissions provided by their User Group. This additional access can be either temporary or permanent.
The steps to configure the additional access are as follows:
Access the user's profile and go to the Additional Access tab.
Click on the 'Add' button to open the configuration pop-up.
Configure Access:
Select Access Group: Choose the appropriate access group that the user requires.
Select Location: Choose the relevant location for which the additional access is needed.
Set Duration: Specify the duration of the access:
For temporary access, enter the start and end times.
To provide permanent access, check the 'Never' checkbox.
Note: All available locations and access groups related to the selected location will be displayed in the configuration pop-up.
Access View
Users can now view their access details from their profile in three distinct views:
Locations View: Lists all locations the user can access along with the role for the respective locations.
Access Groups View: Displays the access groups the user is part of.
Doors View: Shows the specific doors the user has access which they received from Access Groups.