Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Select Add User Group in the upper-right area of the Manage User Groups page.
	From the Group pane of the Add User Group page, provide a unique name that represents the specific role of this group within your organization. Optionally, provide a brief description that identifies the function of the user group. The description cannot exceed 200 characters. Note: The total number of group members is dependent on VIP Enterprise Gateway. You will need to configure VIP Enterprise Gateway to map and synchronize user groups in your LDAP directory with the user data in the VIP User Service. Be aware that user groups may contain members who are also members of other user groups, depending on their particular roles. For details on LDAP synchronization, refer to the VIP Enterprise Gateway Installation and Configuration Guide. For an example scenario of deploying a user group, refer to the VIP Enterprise Authentication Deployment Guide. Both documents may be downloaded by selecting Account in the navigation bar at the top of the page, and then selecting Download Files in the Links pane on the right side of the page.
	Select Add. The User Group Details page displays, listing the user group information and policy settings. Initially, the policy settings for this group are set to the default policies for your VIP account (configured on the Account tab of the Policies page). You can retain the default policy settings for your VIP account or you can specify policy settings specific to this group. When you set group-specific policies, the new settings supersede the VIP account policy settings for users in this group. For details on the default policies, see the following topics: Access Policy Credential Policy Mobile Push Authentication Policy Biometrics / Security Key Authentication Policy Remembered Device Policy For details on customizing the policy settings for this user group, see Editing the User Group Policies.

You can remove any user group that contains no members. Conversely, you cannot remove a user group that contains at least one member.

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Remove for your target group.
	Confirm you want to remove your target group.

To edit details of a user group:

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Edit Details for your target user group.
	From the Group pane of the User Group Details page, select Edit.
	Update the group name or group description, as applicable.
	Select Save.

To edit the Access, Credentials, Mobile Push Authentication, Remembered Devices, and Intelligent Authentication policies configured for a user group:

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Edit Details for your target user group.
	The User Group Details page displays. Click Edit on this page to set the Access, Credentials, Mobile Push Authentication, Biometrics / Security Key, and Remembered Device policies for this group.
	For each of these policies, you can use the default policy (configured on the Account tab of the Policies page) or specify policy settings specific to this group. When you set group-specific policies, the new settings supersede the VIP account policy settings for users in this group.
	After setting your policies, click Save.
For details on the default policies, see the following topics: Access Policy Credential Policy Mobile Push Authentication Policy Biometrics / Security Key Authentication Policy Remembered Device Policy To set policies specific to this group: Access Policy: To set a group-specific Access policy, click Per Group Policy in the Access Policy pane. Then select one of the following: Access Denied: Users in this group are always denied access to any web resource protected by VIP. However, you can still allow users to access specific IP addresses. Users in this group are prompted for additional authentication at these IP addresses (challenge). Challenge with Multi-factor Authentication: Users in this group are prompted for multi-factor authentication through VIP when they sign in. This is the default policy setting. For IP addresses that you allow (whitelist), VIP authentication always succeeds. You can also deny access to specific IP addresses (blacklist). Based on the access level you set, you can deny users access to specific IP addresses (blacklist), force users to perform additional authentication for specific IP addresses (challenge), or always allow users access to specific IP addresses (whitelist). Add IP addresses by uploading a text file with a comma-separated list of IP addresses. You can upload up to 300 IP addresses or IP address ranges in one file. Each entry in the file should be a separate line, each entry followed by a comma. Do not include other text or headers. Once uploaded, you can remove selected IP addresses, and export the entire list of IP addresses to a comma-separated text file. Access Policy settings are not supported for requests from VIP Enterprise Gateway 9.8.4 or earlier and are ignored. Credential Policy: To set a group-specific Credential policy, click Per Group Policy in the Credential Policy pane. Then set the following: Set the credential types for the group. If you edit the credential types by selecting Per Group Policy, the pre-selected credential types mirror the current settings within your VIP account policy. You can customize any of these types for the user group. Set the maximum number of registered VIP credentials that group members can use for authentication. Mobile Push Authentication Policy: To set a group-specific Mobile Push Authentication policy, click Per Group Policy in the Mobile Push Authentication Policy pane. You can set the following: Enable Mobile Push: Set this to Yes to allow an end user to respond to a VIP Access Push notification sent to a mobile device as the second factor when signing in. If set to No, VIP will not send a VIP Access Push notification, and the end user must use another configured method for authentication. Allow Security Code Validation: If Enable Mobile Push is set to Yes, set Allow Security Code Validation to Yes to allow an end user to enter security codes as the second factor instead of VIP Access Push during authentication requests. If set to No, the user will not be prompted for security codes. This setting does not apply to registration requests, such as with My VIP or the Self Service Portal. Note: If you set Allow Security Code Validation to No, users with a credential that only allows security code validation (such as the VIP Security Card or VIP Security Token) will not be able to authenticate. Require Number Challenge: If Enable Mobile Push is set to Yes and Require Number Challenge is set to Yes, end users are shown a unique, two-digit number during authentication requests. End users must enter the same number in the VIP Access Push that they receive on their mobile devices. Biometrics / Security Key Authentication Policy: To set a group-specific Biometrics / Security Key policy to allow FIDO2-enabled authenticators, click Per Group Policy in the Biometrics / Security Key Authentication Policy pane. Then, enable or disable this feature for this user group.

Remembered Devices Policy:

To set a group-specific Remembered Devices policy, click Per Group Policy in the Remembered Devices Policy pane. Then set the following:

	Enable or disable Trusted Device to let your users register devices to be remembered. Also set whether the Trusted Device plug-in is automatically upgraded to the latest version. Users on supported platforms automatically receive the latest version of the plug-in the next time they sign in.
	Set the maximum number of devices your users can register. Users can register from 1 to 20 devices.
	Set how Trusted Device registrations are deleted for a user, when the user attempts to register more than the maximum allowed: Auto Automatically delete the least-recently used Trusted Device registration when the user registers another device. Users and administrators can manually delete Trusted Device registrations at any time. Admin Only Only the VIP administrator can delete a Trusted Device registration. The user will not be able to delete any Trusted Device registrations without administrator intervention. Note: Trusted Device registrations do not expire. If users want to delete a remembered device registration, they can remove the registration manually in the VIP Self Service Portal. Administrators can delete the registration in VIP Manager.

Intelligent Authentication Policy:

To set a group-specific Intelligent Authentication policy, click Per Group Policy in the VIP Intelligent Authentication Policy pane. Then set the following:

Note: You must initially configure IA for the account (Policies > Intelligent Authentication). Otherwise, IA does not have the appropriate information to accurately measure risk for the group. However, you can then disable it for the account if you only want to and enable it for groups.

	Set whether IA is enabled for this user group.
	Set whether users are always challenged for a security code for sign-in authentication, regardless of the current IA threshold or risk- based IA score.