GroupID 9 and above - Self-Service & Automate
To ensure that our groups always have an owner, we want to set up a policy that will:
- enforce users to specify a primary owner during group creation, and
- ensure that the owner cannot be removed afterwards.
This is an important configuration to keep your directory clean. Every group must have an owner who is a responsible contact for the group. By applying the Group Owners policy using GroupID, you ensure that you will not have orphaned groups in future.
By default, the Group Owners policy is not configured. You can enforce it at the role level in an identity store.
- In GroupID Management Console, click the Identity Stores node.
- On the Identity Stores tab, double-click an identity store to open its properties.
- Click the Security Roles tab.
- Select a role to configure the Group Owners policy for it and click Edit.
- On the Role Properties page, click the Policies tab.
- Click Group Owners in the left pane.
- Select the Primary Owner is required check box.
This ensures that when a role member creates a group using Automate or the Self-Service portal, he or she must specify a primary owner for it. Moreover, when a role member modifies the group, he or she can change the primary owner, but cannot remove it.
- Click Apply and then OK.
In the presence of this setting, the primary owner is enforced as shown below.
Impact on the Self-Service portal:
A role member cannot create a group without an owner because a primary owner will be enforced automatically:
Impact on Automate:
When a role member tries to create a group without specifying a primary owner, he or she will get the following message:
Similarly, when a role member tries to clear the primary owner of a group in group properties, he or she will get the following message:
Important: For Automate, the Group Owners policy does not apply to groups that were created before the policy was specified. The warning message is displayed but changes are saved. For groups that are created after the policy is enforced, changes would not be saved unless they conform to the policy.
How To: Ensure/enforce minimum number of additional owners for groups
GroupID Online Help topic: Group Ownership Enforcement policy