ConductorOne docs

ConductorOne groups

Create custom groups in the ConductorOne app that dynamically adjust their membership based on adherence to a membership rule.

What are ConductorOne groups?

A screenshot of the ConductorOne app showing a sample ConductorOne group.

ConductorOne groups are collections of ConductorOne users that you create and use within ConductorOne. These groups are resources in the ConductorOne app.

What can I do with a ConductorOne group?

Key uses for these special groups include:

  • Organizing employees without creating custom IdP groups. ConductorOne groups make it easy to create groups of employees who share key profile attributes or combinations of access.

  • Specifying who can request an access profile. An access profile can be requestable by a ConductorOne group.

  • Assigning a group as reviewer on a policy step. A ConductorOne group can be set as a policy step reviewer.

Create a new ConductorOne group

Create a ConductorOne group by setting a rule for membership. ConductorOne will dynamically add or remove members from the group based on their adherence to the rule.

  1. Navigate to Admin > Groups and click Create group.

  2. Give your new group a name and add a description. Click Create group.

  3. In the Membership rule section of the page, click Configure.

  4. Choose how to form your membership rule:

    • Use the Basic condition builder to construct a membership rule from a combination of entitlements and profile attributes, with the option to add and and or statements to refine the rule.

    • Use the Expression field to to compose a CEL expression that describes the membership rule.

  5. Click Preview to check the syntax of your membership rule.

    Note that not all users who match the membership rule will be shown immediately when you click Preview.

  6. Optional. In the Excluding field, add the names of any users who should be excluded from this group, even if they match the membership rule.

  7. When you’re satisfied, click Save. The Membership rule section syncs and update the list of matching users.

    Depending on the number of users in your ConductorOne installation, syncing might take some time. When syncing is complete, the Syncing label will be replaced by a Last sync timestamp.

That’s it! Your ConductorOne group is now ready for use elsewhere in the app. The group will re-sync every hour to check which ConductorOne users match the rule you set, and will add or remove group members accordingly.

Frequently asked questions about ConductorOne groups

How often does the membership rule sync?

A new sync is kicked off each hour.

Can users request access to a ConductorOne group?

No, currently ConductorOne groups cannot be added to access profiles. Membership in ConductorOne groups is solely determined by matching the membership rule.