Create, edit, or delete Access Control Management (ACM) groups

On this page:

Overview
Create a group
Edit a group
Delete a group
Member status and inactive users
Get help

Overview

The UITS Access Control Management (ACM) Group Management tool lets you create and manage security groups for controlling access to your internal online resources. By default, you are added as an editor of any ACM group you create, allowing you to add and remove group members, add and remove other group editors, and manage group features. Behind the scenes, ACM groups are integrated with Grouper, an open-source enterprise access management system available from Internet2.

ACM access is limited to IU faculty and staff who have completed the Acceptable Use Agreement.

Create a group

To create a new ACM group:

Go to Access Control Management (ACM) and then click + Create Group.
On the "Create Group" page, under "Name", enter a short, unique name for your group. Optionally, to add a description of your group, click Add description, and then enter your text in the "Description" field. To make your group name and details visible only to editors of the group and ACM administrators, toggle the "Public Group" switch from On (the default setting) to Off.
On an ACM group page, under "Members", you can add or check compliance requirements. Click the Require Compliance arrow to enable the options; all options are disabled by default. Choose any compliance requirement to apply it for all users wherever the group is used, and to enforce IU's requirements for signing the Acceptable Use Agreement and taking the FERPA tutorial and HRMS Data Use tutorial. If users are not in compliance with the chosen options, the page will highlight the user with an alert about the missing compliance requirements. Compliance requirements are also enforced for any subgroups nested in this group.
Add users as members of your new group either one at a time or in bulk (using IU usernames, existing IU ADS groups, and/or existing ACM groups):
- Add members of an existing ACM group: Under "Members", to the right of "ACM Groups", click the Add group icon:
  
  In the "Add group" window, enter the desired ACM group name into the "Type a group name" field.
  
  As you type, ACM will prompt you with potential matches; click the appropriate ACM group to select it, and then click Add. The selected ACM group will appear on the "Create group" page, under "Groups". Click the group to view its individual members.
  
  If desired, repeat the process to add another ACM group.
  Notes:
  - If the membership of a nested ACM group changes after you create your new group, those changes will be reflected in your group.
  - Inactive users, or any group accounts owned either by inactive faculty or staff members, are added to your group as provisional members, are displayed with yellow backgrounds, and will not be granted access privileges. For more, see this document's Member status section.
Optionally, add other editors to your group. Editors can add and remove group members and manage group features; by default, you are added as an editor of the group you are creating.
Notes:
- Inactive users, or any group accounts owned either by inactive faculty or staff members, are added to your group as provisional members, are displayed in the "Inactive IU account" box, and will not be granted access privileges. For more, see this document's Member status section.
- Editors are not members of the group they edit. Editors can manage members and features, but will not be viewed as members themselves. A user may be added as both a member and an editor to get the full advantages of being in the group while also being able to edit it. If the ACM group is nested in another ACM group, the editors will not be carried over as members unless they add themselves as members as well.
You can add editors in any of the following ways:
- Add editors one at a time:
  1. Under "Editors", to the right of "Editors", click the Add editor icon.
  2. In the "Add editor" window, enter the person's full name or IU username into the "Display name or username" field. When entering a person's full name, you can type the first name followed by the last name, or type the last name followed by a comma and the first name.
  3. As you type, ACM will prompt you with potential matches; click the appropriate name to select it, and then click Add. The selected user will appear on the "Create group" page, under "Editors".
- Add individual editors in bulk:
  1. Under "Editors", to the right of "Editors", click the down arrow next to the Add Editors icon, and then select Add Editors in bulk.
  2. In the "Add Editors in bulk" window, enter multiple personal or group account IU usernames, separated by commas, into the "Usernames separated by commas" field.
  3. When you're finished adding usernames, click Add. The selected editors will appear on the "Create group" page, under "Editors".
    ACM will display an alert for any usernames that could not be located. A separate alert will display for any usernames that are already in the "Editors" list.
- Add members of an existing ADS group:
  1. Under "Editors", to the right of "Editors", click the down arrow adjacent to the Add Editors icon, and then select Add Editors from ADS group.
  2. In the "Add Editors from ADS group" window, enter the desired ADS group into the "ADS group name" field.
  3. As you type, ACM will prompt you with potential matches; click the appropriate ADS group to select it, and then click Add. The members of the selected ADS group will appear on the "Create group" page, under "Editors".
    If desired, repeat the process to add members of another ADS group.
    Notes:
    ADS groups with more than 1,000 users cannot be imported into ACM. If you attempt to import a group with more than 1,000 users, you'll see a warning indicating that the import won't be done.
    
    If the membership of an ADS group changes after you create your new ACM group, those changes will not be reflected in your group.
    
    ACM will display an alert for any usernames that are already in the "Users" list.
Optionally, make your group available for use as an ADS security group. See Manage interactions between ACM groups and Active Directory Services.
When you're finished adding users, editors, and/or features, click Create group to create your ACM group. To quit without creating a group or saving your work, click Cancel.

Edit a group

Note:

To check compliance requirements for a group, see the Require Compliance step in the instructions for creating a group.

To edit an ACM group for which you are an editor:

Go to Access Control Management (ACM) and then, under "My Groups", click the name of the group that you want to edit.

Note:

If you see "All Groups" instead of "My Groups", click the slider labeled "Display only my Groups" to switch it from Off to On.
On the "Edit Group" page:
- Under "Name", edit the group name, change the "Public Group" setting, and/or add, edit, or remove a description.
- Under "Members", add or remove users and/or groups. To remove a user or group, click the x next to its name. For help adding users or groups to an ACM group, refer to the instructions above.
- Under "Editors", add or remove editors. To remove an editor, click the x next to the editor's name.
  
  Note:
  
  The group must have at least one other editor before you can remove yourself as an editor. ACM will prompt you to confirm that you are sure you want to remove yourself. To proceed, click Yes; to cancel, click No.
  
  For help adding one or more editors to an ACM group, refer to the instructions above.
- To see where this group is used, click to expand See where this Group is used (under "Features"). This reveals drop-down sections for Other ACM Groups, Tableau, and Denodo that will list where the group is used. (If the group isn't used in a particular service, the drop-down section for that service will not be displayed.)
- Under "Features", if you have not already done so, you may optionally make your group available for use as an ADS security group; for help and more information, refer to the instructions above.
When you're finished editing your ACM group, click Save to save your changes. To quit without saving your changes, click Cancel.

Delete a group

To delete an ACM group for which you are an editor:

Go to Access Control Management (ACM) and then, under "My Groups", click the name of the group that you want to delete.

Note:

If you see "All Groups" instead of "My Groups", click the slider labeled "Display only my Groups" to switch it from Off to On.
At the bottom of the "Edit Group" page, click Delete group.
ACM will prompt you to confirm that you want to delete the group. If your group is associated with an ADS security group, the ACM prompt will warn you that deleting the group will cause the associated ADS security group to be deleted also. To proceed, click Yes, delete this group; to cancel, click No, cancel.

Member status and inactive users

Active and compliant users are added to your group as full members and are displayed with white backgrounds. Only full members are granted access privileges.

If compliance requirements are in place for the group, non-compliant users are added to the group as provisional members and are displayed in a box titled "Out of compliance".

Inactive users, or any group accounts owned either by inactive faculty or staff members, are added to your group as provisional members and are displayed in an "Inactive IU account" box. Occasionally, retired faculty or staff members should not be considered inactive, so that they can access university resources such as Tableau reports. In such cases, contact UITS Identity Management Systems (IMS) via the IMS ACM Support Form to request an exception for the user.

Get help

If you need help or have questions about creating and/or managing ACM groups, fill out the IMS ACM Support Form to contact UITS Identity Management Systems (IMS). To access the support form from within ACM, click the question mark (?) icon in the top right corner of the "Create Group" or "Edit Group" page.