Configure Dynamic User Groups

When JumpCloud groups are created, by default they are Static User Groups - groups with fixed memberships that must be changed manually. Static User Groups are best for situations when the membership is primarily unchanging, and the membership in the group cannot be formed using an easily-defined criteria. But, modern-day IT operations are complex and challenging. IT admins no longer manage Windows-only environments with local users secured by a firewall. Today's trends entail enterprise mobility, BYOD management, multi-OS environments, etc., making IT operations both complex and crucial.

Dynamic User Groups facilitate automatic membership changes, depending upon the membership conditions set by the admin. If a user meets a meets particular criteria, they get added to a group. Likewise, if a user no longer meets the criteria, they are automatically removed from the group. Onboarding new users or adjusting group membership when conditions change for individual users and groups is seamlessly and instantly completed.

Benefits of Dynamic User Groups:

  • Immediate Group Membership updates – membership changes immediately upon the user or group’s conditions changing. Group membership updates are made nightly and also whenever the following events occur:
    • A change is made to the group – rules or otherwise.
    • A user attribute value changes.
    • A new user is created.
  • Automatic Access – after a user or group’s conditions change, they are automatically assigned to the appropriate resource groups, like device or application groups.
  • Compliance – admins can review reports on dynamic and static membership group assignments.

Enabling Dynamic User Groups

Tip:

Here's a guided simulation: Enable and Configure Dynamic User Groups.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT > User Groups.
  3. Create a new group or choose an existing group.
  4. Navigate to Details > Membership Controls.
  5. Select the Dynamic radio button. Optionally, if you would like to review membership updates before they implemented, select:
    • Require administrator review of updates – to review group membership updates in the Admin Portal.
      • Receive emails when administrator review is needed for updates – to receive approval emails notifying all administrators of membership changes.

Important:

If Require administrator review of updates is not selected, dynamic group membership changes will be automatic with no notification. As a result, you may experience unplanned system disruptions. It is highly recommended to use the Require administrator review of updates option first to verify group membership changes. After verifying group membership is functioning as desired, then deselect this option.

Configuring Dynamic User Groups

Warning:

There is no validation when creating a dynamic user group, so you can potentially create illogical or contradictory user group rules resulting in incorrect group membership. Previewing your group's membership before saving it is highly recommended.

  1. After enabling Dynamic User Groups, click the dropdown under the Attribute column and choose the desired attribute from the list. The following attributes are available:
    • Company
    • Cost Center
    • Department
    • Description
    • Employee Type
    • Job Title
    • Location
    • Manager
    • User State
  2. Expand the dropdown under Operator and choose equalsnot equals, or starts with for each attribute.

Note:

At this time, the starts with operator will only work with one value. The plus icon will be greyed out.

  1. In the Value text field, enter the desired value. Select (+) to add multiple values to one group attribute. This acts as an “or” operator for the different values. Using the example below, the group’s membership includes users whose Location equals “Miami” or “Ft. Lauderdale” or “Boca Raton”.

Important:

The values for the conditions are case-sensitive and must match exactly to what is entered in the user's record. Using the example below, if the dynamic group's rule is Location equals "Ft. Lauderdale" and the user's Location is "Fort Lauderdale", the user will not be included in the group membership.

  1. Select Add Condition to add multiple attributes to one group. This acts as an “and” operator for the different attributes. Using the example below, the FL Technical Writers group membership includes users whose Job Title equals “Technical Writer 2” or “Technical Writer 3” and Location equals “Florida” for a Florida-based Technical Writers user group.
  1. Click Preview to see which users are affected by the conditions of the group.
  2. After reviewing the group membership, click Close.
    • If the preview is incorrect, modify the conditions and click Preview again.
    • If the review is correct, click save.
  3. You will receive a User Group Successfully Created message.

Administrator Review of Updates

When configuring a dynamic user group, you have the option to enable Require administrator review of updates before membership changes are made. All administrators, except those with Read Only or Help Desk roles, will be able to review and accept or reject membership updates in the Admin Portal. You can also enable Receive emails when administrator review is needed for updates to receive Suggestions emails.

To review membership updates

  1. Click Review Suggestions in the Suggestions email or Review next to the group in the Admin Portal.
  2. The Review Group Membership window will appear showing which users are affected by the conditions of the group.
  1. After reviewing the suggestions:
    • If incorrect, click Close, modify the conditions and save the group. Click Review again.
    • If correct, select the users to be added and click Accept and Save.

Important:

Actions to unbind a policy* that has been bound to a user or device through its membership in a dynamic group will not take effect; the rules of the dynamic group will re-bind the user or device. If you want to remove a policy* from an individual user or device, you must create an exemption for that user or device within the dynamic group.


*Or other types of bindings, such as SSO applications, commands or software.

Using Exemptions

The workflow below shows three different flows when implementing Dynamic User Groups with user exemptions.

  1. Jason is bound to the Denver group but has recently relocated to Chicago. He still needs certain resources that are associated with the Denver group. If Jason is added to the User Exemptions List, he will remain in the group though his Location has changed from “Denver” to “Chicago”. If he is not added to the User Exemptions List, he will be instantly removed from the Denver group when the admin updates his Location in his User Details.
  2. Mark is bound to the Denver group and his Location is “Denver”. He will stay in the group regardless of the User Exemptions List.
  3. Stacy is not bound to the Denver group. If Stacy is added to the User Exemptions List, she will never be added to the Denver group. If Stacy is not added to the User Exemptions List, she will be instantly added to the Denver group when the admin adds “Denver” as her location.

To add users to the User Exemptions List

Warning:

A limit of 25 exemptions can be made to a dynamic group. If you exceed this limit, a This group has reached its exemption limit message will appear, and you will not be able to add more exemptions.

  1. In the Exemptions section, click in the field underneath Users to include or Users to exclude.
  2. Start typing in the name of the user you would like to add to the list and then select the box next to the user in the dropdown.
    • Users will appear in alphabetical order.
    • Selected users will appear as pills below the Search bar.
  3. When finished adding users, click save.

Important:

Exemptions configured to include or exclude a user from a user group are NOT reflected in the Preview Group Membership modal. You can review the Exemptions List by looking at the pills beneath Users to include or Users to exclude or by navigating to the group's Users tab and confirming that Manual Include is listed for that user in the Exemption column.

To remove a user from the User Exemptions List

  1. In the Exemptions section, find the user’s pill underneath the Search bar. 
  2. Click the ‘x’ next to their name.
  3. When finished removing users, click save.

Disabling Dynamic Groups

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT > User Groups.
  3. Select the group for which you would like to disable automation.
  4. Select the Static radio button.
  5. Click save.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case