Linked Groups

When two identical groups exist across different end systems, it is possible to reduce confusion by linking these two groups together and choosing one group as a source of truth. Often times, groups might have identical members and similar names across different systems because one system imports the group from another, for example Okta importing a Google Group. If these two groups both exist and are seemingly identical groups, it can be difficult for end users to know which group should be requested and which group should be ignored.

In order to simplify the experience for end users requesting access to a resource, an Opal administrator can choose one group as a source of truth. This process starts in the "Linked Groups" navigation item.

To make finding identical groups easier, Opal provides a list of suggestions based on group membership and naming.

To confirm a suggestion is in fact an identical group, click the compare button to identify the differences in naming and membership.

If the groups are unrelated, click the "X" button on the rightmost section of the given row. If the groups are similar enough to be considered identical, select a source of truth. The source of truth will be the group that is requestable by your end users within Opal, and the other group(s) will redirect end users to the source of truth when requesting access to the non source of truth group. Click "Link Groups" to set up this relationship.

This action can be undone at any point by clicking the red button on the list of currently linked groups.

Clicking the grey pencil button will allow you to edit the relationship. A relationship can be altered by changing the source of truth for the link or adding new groups to the link.

Once the link is set up properly, an end user requesting a non source of truth group will see the following direction:

Requesting the source of truth will redirect the user to the proper page for their request and prevent confusion and clutter in group access.

A note on user access reviews:

If a user's access is removed from either the source of truth group, or the non source of truth group, access to both will be revoked in both cases.