Help Center Home > Automation Tools > Configure Dynamic User Groups

Configure Dynamic User Groups

When JumpCloud groups are created, by default they are Static User Groups - groups with fixed memberships that must be changed manually. Static user groups are best for situations when the membership is primarily unchanging, and the membership in the group cannot be formed using an easily-defined criteria. But, modern-day IT operations are complex and challenging. IT admins no longer manage Windows-only environments with local users secured by a firewall. Today's trends entail enterprise mobility, BYOD management, multi-OS environments, etc., making IT operations both complex and crucial.

Dynamic User Groups facilitate automatic membership changes, depending upon the membership conditions set by the admin. If a user meets a meets particular criteria, they get added to a group. Likewise, if a user no longer meets the criteria, they are automatically removed from the group. Onboarding new users or adjusting group membership when conditions change for individual users and groups is seamlessly and instantly completed.

Benefits of Dynamic User Groups:

  • Immediate Group Membership updates - membership changes immediately upon the user or group’s conditions changing. Group membership updates are made nightly and also whenever the following events occur:
    • A change is made to the group – rules or otherwise
    • A user attribute value changes
    • A new user is created
  • Automatic Access - after a user or group’s conditions change, they are automatically assigned to the appropriate resource groups, like device or application groups.
  • Compliance - admins can review reports on dynamic and static membership group assignments.

Enabling Dynamic User Groups

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT > User Groups.
  3. Create a new group or choose an existing group.
  4. Navigate to Details > Membership Controls.
  5. Select the Dynamic radio button. Optionally, if you would like to review membership updates before they implemented, select:
    • Require administrator review of updates - to review group membership updates in the Admin Portal
      • Receive emails when administrator review is needed for updates - to receive approval emails notifying all administrators of membership changes

Important:

If Require administrator review of updates is not selected, dynamic group membership changes will be automatic with no notification. As a result, you may experience unplanned system disruptions. It is highly recommended to use the Require administrator review of updates option first to verify group membership changes. After verifying group membership is functioning as desired, then deselect this option.

Configuring Dynamic User Groups

Warning:

There is no validation when creating a dynamic user group, so you can potentially create illogical or contradictory user group rules resulting in incorrect group membership. Previewing your group's membership before saving it is highly recommended.

  1. After enabling Dynamic User Groups, expand the Attribute dropdown and choose one of the following attributes from the list:
  2. Expand the Operator dropdown and choose one of the following for each attribute:
    • equals
    • not equals
    • starts with
    • ends with
    • contains
    • does not contain

Note:

At this time, the following operators will only work with one value. The plus icon will be greyed out.

  • starts with
  • ends with
  • contains
  • does not contain
  1. In the Value text field, enter the desired value. Select (+) to add multiple values to one group attribute. This acts as an “or” operator for the different values. Using the example below, the group's membership includes users whose Location equals “Miami” or "Ft. Lauderdale" or "Boca Raton".

Important:

The values are case-sensitive and must match exactly to what is entered in the user's record. Using the example below, if the dynamic group's rule is Location equals "Ft. Lauderdale" and the user's Location is "Ft Lauderdale" (without the period), the user will not be included in the group membership.

  1. Select Add Condition to add multiple attributes to one group. This acts as an “and” operator for the different attributes. Using the example below, the FL Technical Writers group membership includes users whose Job Title equals “Technical Writer 2” or "Technical Writer 3" and Location equals “Florida” for a Florida-based Technical Writers user group.
  1. Click Preview to see which users are affected by the conditions of the group.
  2. After reviewing the group membership, click Close.
    • If the preview is incorrect, modify the conditions and click Preview again
    • If the review is correct, click Save Group
  3. You will receive a User Group saved successfully message.

To use custom attributes

Custom attributes can be used to store additional information about your users that isn’t provided in one of JumpCloud's standard user attributes. There are some limitations when configuring custom attributes for users and other limitations when using those custom attributes for dynamic group membership:

  • Maximum number of custom attributes per group is five (5)
  • There is no validation is done for custom attributes - the value entered must match the users' custom attribute(s) exactly, including case
  • Group membership rules configured with custom attributes that are not present in user records will not be applied to those users, even if the rule has does not contain or not equals
  • Custom group inherited user attributes are not supported for dynamic group membership

Administrator Review of Updates

When configuring a dynamic user group, you have the option to enable Require administrator review of updates before membership changes are made. All administrators, except those with Read Only or Help Desk roles, will be able to review and accept or reject membership updates in the Admin Portal. You can also enable Receive emails when administrator review is needed for updates to receive Suggestions emails.

To review membership updates

  1. Click Review Suggestions in the Suggestions email or Review next to the group in the Admin Portal.
  2. The Review Group Membership window will appear showing which users are affected by the conditions of the group.
  1. After reviewing the suggestions:
    • If incorrect, click Close, modify the conditions and save the group. Click Review again
    • If correct, select the users to be added and click Accept and Save
  2. Click Save Group.

Important:

Actions to unbind a policy* that has been bound to a user or device through its membership in a dynamic group will not take effect; the rules of the dynamic group will re-bind the user or device. If you want to remove a policy* from an individual user or device, you must create an exemption for that user or device within the dynamic group.

*Or other types of bindings, such as SSO applications, commands or software.

Using Exemptions

The workflow below shows three different flows when implementing Dynamic User Groups with user exemptions.

  1. Jason is bound to the Denver group but has recently relocated to Chicago. He still needs certain resources that are associated with the Denver group. If Jason is added to the User Exemptions List, he will remain in the group though his Location has changed from “Denver” to “Chicago”. If he is not added to the User Exemptions List, he will be instantly removed from the Denver group when the admin updates his Location in his User Details.
  2. Mark is bound to the Denver group and his Location is “Denver”. He will stay in the group regardless of the User Exemptions List.
  3. Stacy is not bound to the Denver group. If Stacy is added to the User Exemptions List, she will never be added to the Denver group. If Stacy is not added to the User Exemptions List, she will be instantly added to the Denver group when the admin adds “Denver” as her location.

To add users to the User Exemptions List

Warning:

Configure groups strategically using rules to result in the targeted membership, using exemptions sparingly. If you find you can't reach the desired group membership without a large number of exemptions, reach out to JumpCloud so that we can understand what additional rules or conditions may be needed.

  1. In the Exemptions section, click in the field underneath Users to include or Users to exclude.
  2. Start typing in the name of the user you would like to add to the list and then select the box next to the user in the dropdown.
    • Users will appear in alphabetical order
    • Selected users will appear as pills below the Search bar
  3. When finished adding users, click Save Group.

Important:

Exemptions configured to include or exclude a user from a user group are NOT reflected in the Preview Group Membership modal. You can review the Exemptions List by looking at the pills beneath Users to include or Users to exclude or by navigating to the group's Users tab and confirming that Manual Include is listed for that user in the Exemption column.

To remove a user from the User Exemptions List

  1. In the Exemptions section, find the user's pill underneath the Search bar. 
  2. Click the ‘x’ next to their name.
  3. When finished removing users, click Save Group.

Disabling Dynamic Groups

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT > User Groups.
  3. Select the group for which you would like to disable automation.
  4. Select the Static radio button and then Change Group To Static.
  5. Click Save Group.
Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: User Groups

Configure Dynamic Device Groups

Create Custom User Attributes

Group Inherited User Attributes

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case