Manage group policies

Group policies let you override global settings for specific groups of users. When you create a group policy and change a setting, the change applies only to the users in the group assigned to that group policy.

Example

You have a group of banking users who authenticate using one‑time passwords (OTPs). For added security, you want these users to use longer OTPs than the length defined in the global settings, while other users continue to use the default length. A group policy lets you set a longer OTP length for that group without changing the global setting for everyone else.

Group policy hierarchy

If more than one group policy applies to the same setting, Identity as a Service uses the policy with the highest priority. For example, if one OTP policy applies only to Group A and has a higher priority than another policy that applies to Groups A and B, the higher‑priority policy takes effect for Group A. You can change policy priority by dragging policies into a new order on the Group Policies page.

info

Before you begin, you must create the required groups. See Create and manage groups, Import groups, and Import users and groups.

Group policy override options

Using group policies, you can override the global settings for the following:

General authenticator settings
Authenticators
User Portal available authenticators
Authenticator Provisioning
Registration
Verification
Risk-based authentication

Add group policies

Follow these steps to add group policies.

Click > Policies > Group Policies. The Group Policies page appears.
Click . The Add Group Policy page appears.

note
Click to view the overrides to the global policies.
Select Enabled to apply the group policy to the selected groups.
Enter a Name for the group.
Select the Group from the drop-down list.

note
You can select Active Directory (AD) groups for a group policy. However, IDaaS disables the policy if the AD group is the only group assigned to the policy and that group is deleted from Active Directory and later removed from Identity as a Service during AD synchronization.
To add more groups, repeat the previous step. If you want to remove a group from the group policy, click next to the group.
To add overrides to the group policy, in the Settings Category click Add.
From the Settings drop-down list, select the Setting or Authenticator you want to override for the group. The global settings for your selection appear.
Change the required global settings for the group policy.
Click Save to save the changes to override the global settings and apply new settings to the group or groups only.
To add another Settings Category:
1. Click Add again.
2. Select the Settings from the drop-down list.
3. Using the links provided in the Settings categories section for help, make the required changes.
4. Click Save.

Settings categories

The following settings and authenticator categories can be overridden in a group policy.

Settings categories

Authenticator Provisioning
General
Registration
Risk-based authentication
User portal
Verification (available only with the Consumer and Premium bundles)
User Notifications

Authenticator settings categories

Administrator role

When you select this option, the selected role is dynamically applied to users in the group. The group policy applies the role only to users who do not already have a predefined role.

For example, if the group policy assigns the Auditor role to users in GroupA:

User1 is in GroupA but already has the Help Desk Administrator role, so the group policy does not change User1's role.
User2 is in GroupA and has no role assigned, so the group policy dynamically assigns User2 the Auditor role.

See Add users for more information on user settings.

Tenant

Available only to Service Providers.