Skip to main content
Group-Based Policy

How to set up groups and assign policies to groups established in your IdP

Updated over 11 months ago

HERE’S WHY

We know that not every policy needs to be signed by every member of your organization, or that some policies may not need to be signed by any of your personnel. In Drata we now support the ability to import groups from your identity providers (Google Groups, Google Organizational Units, Microsoft 365, and Okta) and assign policies to certain groups of personnel, all personnel or no one.

HERE’S HOW

Step 1: Connect Your Identity Provider

Before importing groups, you need to have an active connection to one of the 3 supported identity providers: Google, Microsoft, or Okta.

GOOGLE: Here are Drata's instructions for setting up the Google Workspace connection.

IMPORTANT: If you already have an active Google connection with Drata, please make sure you have the following 2 additional scopes enabled:

You can read more about setting up these scopes via domain-wide delegation here and here.

If you already have your Google connection ready but do not have any groups defined in Google Workspace, please check these instructions:

MICROSOFT 365: Here are Drata's instructions for setting up the Microsoft 365 connection.

If you already have your Microsoft 365 connection ready but do not have any groups defined in Microsoft, please check the instructions for setting up Groups in Microsoft 365.

OKTA: Here are Drata's instructions for setting up the Okta connection.

If you already have your Okta connection ready but do not have any groups defined in Okta, please check the instructions for setting up Groups in Okta.

Step 2: Understand Groups Sync

IMPORTANT: Changes to Identity provider groups will be reflected in Drata once a day after Autopilot completes running (nightly in US PT). This is also the case for user identities: Click here to learn more about Drata's Identity sync.

New Group(s): New groups should be automatically added to Drata once Autopilot runs. If you have multi-domain support enabled, group information from all domains will be brought into Drata. Otherwise, only the main domain’s groups will be imported.

Delete Groups: If you delete groups from the Identity Provider, they will be removed from Drata once Autopilot runs. Deleted Groups will be unassigned from Policies.

Note: If a policy is assigned to a group and all the associated group members are removed, the policy will automatically be assigned to 'None', and an email will be sent to the policy owner notifying them that the policy has no personnel assigned.

Update Groups: Group name and domain changes will be synced with Drata as soon as Autopilot runs. If multi-domain support is not enabled, only updates to the main domain will be synced with Drata.

Disconnect Identity Provider: In the case of an Identity Provider disconnection, the groups, their members, and the assignments will remain in their current state.

Step 3: Verify your groups are synced

Once you have set up a connection to an Identity Provider, you can use the Personnel group filter to see all the imported groups. To view the list of groups:

  1. Go to the 'Personnel' section in Drata

  2. Click on the Groups filter to view all the imported groups

Note: If you don’t see the group filter, it means that either groups were not synced correctly or there are no groups defined in your identity provider.

Step 4: Go Over Policy Assignment

Policy Assignment Overview: When you go to the policy section, you will see a new column called 'Assigned to' that shows who needs to acknowledge each policy. This column can have one of the following 3 values:

  • All personnel: Policy is required to be acknowledged by all personnel in your company.

    • Update Existing Policies: Drata’s existing policies are assigned to 'All Personnel' by default, meaning that each policy needs to be acknowledged by everyone in the company.

  • <Group Name>: Policy is only required to be acknowledged by the assigned group members.

  • None: Policy is not required to be acknowledged by any personnel at your company.

Here is an example of policies assigned to each category:

You can change the assignment of existing policies at any time by selecting the edit icon(). Then, select the edit icon in Policy details section. Under the Personnel section, update who is assigned

Then save.

New Policies: To view the assignment options for a new policy, select on 'Create Custom Policy' and view the default selected assigned option.

Policy Assignment Deep Dive

As covered above, each policy can have 3 assignment options: 'All Personnel', 'Specific groups', or 'None'. In this section we will cover each option more in-depth:

All personnel

When setting a policy assignment to 'All Personnel,' it is required that every member in the organization acknowledges the policy. Therefore, if a single member does not acknowledge the policy, the associated monitoring test for that policy will fail with the list of all personnel that have not acknowledged the policy:

None

If a policy is assigned to 'None,' it means that policy is not required to be signed by any personnel. For example, you may have a policy that does not require employee acknowledgement, and you want to manage all of your policies inside Drata. With this option, you can bring that policy to Drata and assign it to 'None.'

  • If a policy that you own is set to 'None' by anyone but you, you will be notified automatically. To learn more about owner notifications, click here.

Monitoring Test: When setting an existing Drata policy to 'None,' if that policy has a test for employee acceptance, the test will fail the next time Autopilot runs. It is important to disable the associated test after changing the policy assignment to 'None.'

Specific groups

If a policy is assigned to a specific group, only members of the groups are required to acknowledge that policy. The rest of the employees will not see that policy as part of their onboarding. For example, if a policy is assigned to Billing and Customer Success groups, only members of those groups will be required to acknowledge the policy.

Checkbox to notify new members: New members can be added to any group after a policy is assigned to that group. The next time Autopilot runs the new members will be assigned to the policy. If this checkbox is set, then an email notification will be sent to new personnel about this policy anytime a new member is added and that person has not signed the latest approved policy version.

If a member is removed from a group that is associated with a policy, the change will reflect in Drata after the daily Autopilot sync. The removed user will no longer see that policy when onboarding even If he/she has already signed the policy. Also, the policy will no longer be used toward the user’s compliance.

Note: If all members are removed from groups associated with the policy, the policy owner will receive a notification. To learn more about policy owner notifications, click here.

Monitoring Test: After you assign an existing Drata policy to the 'Specific Group' option, the test for that policy will automatically be scoped to members of the group(s). The test can only fail if members of the assigned group(s) fail to acknowledge the policy.

Select the 'Fix Now' button to go to the 'Personnel' page, with the related policy groups, and ordering the list by non-compliant members first. That way, if you want to notify those members, you can quickly do so from the 'Personnel' page.

On the 'Personnel' page, you get the list of non-compliant members and can quickly send them reminders:

INTEGRATION LIMITATION:

  1. Groups can only be created in the Identity Providers. We currently do not support integration with HRIS groups. Also, groups cannot be created inside Drata.

  2. For Microsoft 365 groups, we import user information (no organizational contacts, devices, etc).

  3. The Okta group sync does not retrieve deactivated or suspended users.

Did this answer your question?