Learn how to create a Cloud Dynamic User Group in the Cloud Identity Engine.
Cloud Dynamic User Groups simplify the creation of group-based Security policy by
providing adaptable and granular group membership that updates automatically based
on the criteria (also known as context or attributes) you specify. This allows you
to create policy that adapts to changes in user behavior, relocation, and other
conditions where context plays a key role in determining access.
As work locations change and users take on different roles in an organization,
determining user privileges based on attributes such as department or location is no
longer sufficient. Cloud Dynamic User Groups provide a simplified and automated
solution by allowing you to specify the context for group membership based on
attributes that can change (such as location, department, or title), allowing you to
create more responsive group-based policy.
You can also create static groups where membership remains constant until you
manually change it (for example, to quickly reassign privileges or isolate an
account that may be exhibiting unusual or risky behavior based on specific events).
If you are using Microsoft Active Directory Identity
Protection, you can use the risk assessment information to create Cloud
Dynamic User Groups based on a user's risk level or anomalous user behavior, such
as an unusual login location.
If you are using the client credential flow for Azure AD, you must allow the
following permissions in the Azure Portal to enable support for risk-based
attributes:
IdentityRiskyUser.Read.All
IdentityRiskEvent.Read.All
If you haven’t already done so, configure your directory for the type of Cloud
Dynamic User Group you want to create.
—Select the criteria for the
dynamic group based on attributes.
On Demand Assignment
—Assign specific users to a
static group.
Enter the
Common Name
for the group.
This automatically generates a
Distinguished Name
for
the group that the Cloud Identity Engine, Prisma Access, and firewalls use
to identify the group. The Cloud Identity Engine appends
_CDUG
to the name you enter to indicate
that the group is a Cloud Dynamic User Group.
(Optional) Enter a
Group Email
for the group.
(Optional) Enter a
Description
for the group.
Depending on the group
Category
you selected in Step
4, select either the attributes you want to
define the group or the users you want to add to the group.
(Attribute Based only) Select whether you want the group members to
match
Any
of the criteria or if you want them to
match
All
of the criteria you select.
(Attribute Based only) Click
Select context or
attribute
to select the context or attribute that you
want to use to define the group.
(Attribute Based only) Click
Select operator
to
select the type of operand.
The operators that are available depend on
your context or attribute selection in the previous step.
is equal to
—Adds members to the group who
are an exact match for a single attribute or context.
is equal to ANY of the following
—Adds
members to the group who are an exact match for one or more
attributes or contexts.
is not equal to
—Adds members to the group
results who do not match the attribute or context.
contains
—Adds members to the group when
they contain the term you enter.
starts with
—Adds members to the group
when they begin with the characters you enter.
(Attribute Based only) Click
Select value
to
select the value (if the operand is
is equal to
)
or values (if the operand is
is equal to ANY of the
following
) for the group members. If the operand is
contains
or
starts
with
, enter the value.
(Optional) If you want to include additional criteria for the Cloud
Dynamic User Group, select the type of operand and repeat the previous
steps as needed to add the necessary criteria for the group.
Add OR
—Adds members to the group when at
least one of the criteria applies.
Add AND
—Adds members to the group only
when all of the criteria apply.
(On Demand Assignment only) Click
Add Users
to
view the list of possible group members.
(On Demand Assignment only) Select the users you want and
Add
them to the group.
To filter the list of possible group members, enter a search term
and
Apply Search
and optionally select either
Text Search
or
Substring
Search
.
(Optional) If you want to delete one of the contexts or attributes, click
Delete
in the row that contains the context or
attribute you want to remove.
) If you enabled user risk
information collection in step 1.2, verify that the Cloud Identity
Engine can successfully collect the information by clicking the locked user icon
and verifying that