Associating an Identity Provider Group

You can associate identity provider users or groups, that have been defined in an existing Active Directory or LDAP directory or Microsoft Entra directory, to console operators or roles.

To add such a group, perform the following steps:

  1. Ensure that the needed Active Directory or LDAP directory or Microsoft Entra directory is added to the BigFix environment.
  2. Create a role to accept your new group by selecting Tools > Create Role or right click in the work area and then select Create Role.
    This window displays the Create Role panel where you have to specify the name of the role.
    Enter a name for your group and click OK.
  3. The Role panel appears.

    Click the Identity Provider Groups tab.
  4. Click the Assign Identity Provider Group button. The following dialog displays.

  5. You can query and filter the groups defined on the specified Identity Provider server using the Search field and the two radio buttons.
    Note: If you have configured at least one Microsoft Identity Provider in your environment and have a significant number of groups in your Tenant, it is highly recommended to use the "Starts With" option, as it can be significantly faster than the "Contains" option.

    A new client property, named _Enterprise Server_MSEntraID_PageSize , has been introduced to let BigFix users configure the Microsoft Entra page size for REST API responses. This property must be set on the machine where the BigFix Server is running. By default, it is set to 0, indicating that no paging option is applied, and the Microsoft Entra default value of 100 items is returned for each request. Increasing the page size can enhance performance when dealing with a large number of Microsoft Entra groups.

    Name _Enterprise Server_MSEntraID_PageSize
    Default Value 0
    Setting Type int
    Value Range 0 - 999
    Component Restart Required No
  6. Select the identity provider group that you want to assign to this role and click Assign Identity Provider Group.
  7. To save the changes click Save Changes.

When you assign an identity provider group to a role, any user from that group can then log in to the console. Only those users who actually log in will be provisioned with accounts and thus end up in the list of operators. This avoids the creation of unnecessary accounts. Operators are granted the highest privileges resulting from the sum of all their roles and permissions. For instance, if a user has access to computer set A and sites X from role 1, and computer set B and sites Y from role 2, they will have permissions for Sites X and Y across both computer sets A and B.