Add/Remove Groups for a User

This topic describes how to modify group membership for existing user accounts.

Before you begin

Create Users

About this task

While it is possible to assign multiple scopes/groups to clients and users, it is advisable to exercise caution and follow these recommendations:
  • Adhere to the principle of least privilege: Applying this principle helps to minimize potential security risks. It advocates to grant users only the necessary privileges and permissions to perform their tasks effectively. If you assign too many scopes to users, it can lead to unnecessary privileges, thus increasing the attack surface and potential for unauthorized access.
  • Keep the token size within acceptable limits: The size of an Access token or JWT (JSON Web Token) commonly used for authentication and authorization purposes, can vary depending on the number of scopes assigned to a user. If a user has an excessive number of scopes, the size of the JWT can become significant. As a result, when the user attempts to access an application, the HTTP requests made by the application to validate the token may get impacted. In case the default settings of the web server hosting the application has limitations on request size, then the request can get blocked or rejected if the token size exceeds the set limit.

Procedure

  1. Go to Proficy Authentication > Security > Users.
    The existing list of user accounts appear.
  2. Select the user account for which you want to modify group membership.
    The existing information for the user appears on the DETAILS panel.
  3. Select next to the GROUP MEMBERSHIP section.

    The Group Membership screen appears.

  4. Select the check box for the groups you want to add the user as a member.
    To remove a group, clear the check box.
    Important: Do not select the check box for iqp.studioAdmin group for any users or groups. As this group is for reserved purposes, make sure no user accounts or groups are assigned to this group to avoid runtime errors.
  5. Select Apply.

Results

The groups are added (or removed from) for the user.
Note: If a logged-in user attempts to remove his/her own scopes/groups, the remove operation may fail and result in an error: Error while assigning the group. In such instances, the user should log out of the Configuration Hub application and log-in again. We recommend that logged-in users should avoid removing their own scopes.