7 Replies Latest reply on Dec 12, 2013 10:28 AM by mnevill

    Long-term management of permission groups?


      We have some users who have created Spaces where the target audience is a large group of managers/executives, so the content needs to be secure just to that group, but they need to manage who has access on a granular level. The users have permission groups created for the audience, but will need to update those groups on a quarterly basis.  In Groups, the membership list can be exported, so comparing who has access to an updated list of who needs access is easy.  But it does not look like you can export the list of users in a permission group.


      So how can someone maintain long-term management of a Space Permission Group?



        • Re: Long-term management of permission groups?
          Kara Francis

          We wrote a SQL report and are able to extract that data directly from the database (in response to your question about exporting group members).  As far as maintaining the groups themselves, that is a little bit of work in that an admin needs to do it for the group owners (unless someone can tell me how to give a permissions group owner access to the admin console to only be able to update his permission group).


          We wanted to go the AD group route, but our update process there is very cumbersome (each user has to request to be added, then someone has to approve it).  This I'm sure is an internal policy, but I don't have control over changing that.  So the permissions group owner sends us a list of IDs to add or remove, then we use the Admin Essentials plug-in to update the permissions group.

          • Re: Long-term management of permission groups?
            Dennis Pearce

            I don't know if it is feasible for your organization to sync with LDAP or AD, but we have ours synced with LDAP so that permission group membership is managed in LDAP rather than in Jive.  Makes it pretty easy to see the list of members and also allows a group to be managed in one place but leveraged by multiple applications (not just Jive).

              • Re: Long-term management of permission groups?

                Hi Dennis - we are in a similar situation in that we use LDAP / AD - we are also struggling to manage permission / user groups.  Can I ask how you are using AD to manage the groups?



                  • Re: Long-term management of permission groups?
                    Dennis Pearce

                    Our product development teams are using Jive to collaborate, so we have a very similar situation to yours -- we have spaces that need to be accessed by very large numbers of people (sometimes hundreds) but not everyone.  We synced Jive with our LDAP systems so that LDAP groups are replicated into Jive as user groups where they are then available for space permissions.  The sync happens once a day so if an employee creates a new group in LDAP or changes its membership, by the next day the change will be reflected in Jive.


                    The group management on the LDAP side has been mostly manual, but just recently our Identity Management team integrated our LDAP and Peoplesoft so that department-based groups are automatically generated and maintained as staffing changes are made in Peoplesoft.  So these groups are now also available in Jive for access control.  There will still need to be manually created groups for things like cross-functional project teams, but the automated department groups will cover a lot of typical access control use cases.

                      • Re: Long-term management of permission groups?

                        Thanks Dennis- extremely helpful.

                        We are also looking at the OKTA solution too - not sure if it has this capability or not

                          • Re: Long-term management of permission groups?

                            We have 100% of our company allocated to various spaces in Jive. All of the Spaces are mapped to ActiveDirectory groups. This keeps IT happy.  The nice thing is that you can then apply user overrides to those specific spaces so that permissions and maintenance can happen.  This is pretty easy to see in the "Manage" dropdown of the space (if you have administrative access to that space). 


                            We do have OneLogin as our SSO, but it ties to our AD/LDAP structure. It's those AD groups that help, not the SSO (just to save you time in the search of solution).  Okta/OneLogin handle identity verification/access as they validate the AD/LDAP lookup through SAML.  That's a lot of jargon in once sentence but reinforces the power that AD groups have.


                            Here's a better picture for you, from the permissions pane in the Admin console:


                            Screen Shot 2013-12-12 at 9.22.32 AM.png


                            So in this regard you have AD groups, with various levels of access, and specific peeps with their own empowerment (so a small team of people can manage)


                            In order to do this, you need to ensure that your ActiveDirectory (or LDAP) system is fully operational and that you have security groups in place.  Your IT dept will love that. This is our setup in the People/Settings/Directory Settings/Group Mapping pane:


                            Screen Shot 2013-12-12 at 9.24.33 AM.png

                            ...and that group Filter is: (&(objectClass=group)(groupType=-2147483646))

                    • Re: Long-term management of permission groups?

                      Here is the query to get the list of users in a system permission group: Re: export of users in a permission group