To find user groups, select Account from the navigation bar at the top of the page and then select Manage User Groups from the right pane. The Manage User Groups page displays the user groups in the system as of the last data refresh (typically around 11:59:59 pm UTC). From this page you can:

	Export all user groups to a CSV file. Select this option to export information about all user groups to a CSV file. The CSV file will include information about all user groups in the system at the time that you selected this option.
	Add user groups. See Adding a User Group.
	Remove user groups. See Removing a User Group.
	Edit user groups. See Editing User Group Information.

You can also manage user groups with the User Services APIs. See About VIP User Services. You can also add user groups with the User Services APIs. See About VIP User Services.

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Select Add User Group in the upper-right area of the Manage User Groups page.
	From the Group pane of the Add User Group page, provide a unique name that represents the specific role of this group within your organization. Optionally, provide a brief description that identifies the function of the user group. The description cannot exceed 200 characters. Note: The total number of group members is dependent on VIP Enterprise Gateway. You will need to configure VIP Enterprise Gateway to map and synchronize user groups in your LDAP directory with the user data in the VIP User Service. Be aware that user groups may contain members who are also members of other user groups, depending on their particular roles. For details on LDAP synchronization, refer to the VIP Enterprise Gateway Installation and Configuration Guide. For an example scenario of deploying a user group, refer to the VIP Enterprise Authentication Deployment Guide. Both documents may be downloaded by selecting Account in the navigation bar at the top of the page, and then selecting Download Files in the Links pane on the right side of the page.
	Select Add. The User Group Details page displays, listing the user group information and policy settings. Initially, the policy settings for this group are set to the default policies for your VIP account (configured on the Account tab of the Policies page). You can retain the default policy settings for your VIP account or you can specify policy settings specific to this group. When you set group-specific policies, the new settings supersede the VIP account policy settings for users in this group. For details on the default policies, see the following topics: Access Policy Credential Policy Mobile Push Authentication Policy Biometrics / Security Key Authentication Policy Remembered Device Policy For details on customizing the policy settings for this user group, see Editing the User Group Policies.

You can remove any user group that contains no members. Conversely, you cannot remove a user group that contains at least one member.

You can also manage user groups with the User Services APIs. See About VIP User Services.

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Remove for your target group.
	Confirm you want to remove your target group.

You can also manage user groups with the User Services APIs. See About VIP User Services.

To edit details of a user group:

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Edit Details for your target user group.
	From the Group pane of the User Group Details page, select Edit.
	Update the group name or group description, as applicable.
	Select Save.

To edit the Access, Credentials, Mobile Push Authentication, Remembered Devices, and Intelligent Authentication policies configured for a user group:

	Select Account in the navigation bar at the top of the page.
	Select Manage User Groups in the Links pane on the right side of the page.
	Enter the user group name in the search field of the Manage User Groups page.
To narrow your search, you can filter user group options within the left pane. Select the arrow next to the search field (or press Return) to view the user groups that meet your search criteria. You can sort the order of your search results by group name or by the date and time when group details were last edited.
	Select Edit Details for your target user group.
	The User Group Details page displays. Click Edit on this page to set the Access, Credentials, Mobile Push Authentication, Biometrics / Security Key, and Remembered Device policies for this group.
	For each of these policies, you can use the default policy (configured on the Account tab of the Policies page) or specify policy settings specific to this group. When you set group-specific policies, the new settings supersede the VIP account policy settings for users in this group.
	After setting your policies, click Save.
For details on the default policies, see the following topics: Access Policy Credential Policy Mobile Push Authentication Policy Biometrics / Security Key Authentication Policy Remembered Device Policy To set policies specific to this group: Access Policy: To set a group-specific Access policy, click Per Group Policy in the Access Policy pane. Then select one of the following: Access Denied: Users in this group are always denied access to any web resource protected by VIP. However, you can still allow users to access specific IP addresses. Users in this group are prompted for additional authentication at these IP addresses (challenge). Challenge with Multi-factor Authentication: Users in this group are prompted for multi-factor authentication through VIP when they sign in. This is the default policy setting. For IP addresses that you allow (whitelist), VIP authentication always succeeds. You can also deny access to specific IP addresses (blacklist). Based on the access level you set, you can deny users access to specific IP addresses (blacklist), force users to perform additional authentication for specific IP addresses (challenge), or always allow users access to specific IP addresses (whitelist). Add IP addresses by uploading a text file with a comma-separated list of IP addresses. You can upload up to 300 IP addresses or IP address ranges in one file. Each entry in the file should be a separate line, each entry followed by a comma. Do not include other text or headers. Once uploaded, you can remove selected IP addresses, and export the entire list of IP addresses to a comma-separated text file. Access Policy settings are not supported for requests from VIP Enterprise Gateway 9.8.4 or earlier and are ignored. Credential Policy: To set a group-specific Credential policy, click Per Group Policy in the Credential Policy pane. Then set the following: Set the credential types for the group. If you edit the credential types by selecting Per Group Policy, the pre-selected credential types mirror the current settings within your VIP account policy. You can customize any of these types for the user group. Set the maximum number of registered VIP credentials that group members can use for authentication. Select how many of one type of credential an end user can self-register in My VIP at any one time. After registering the maximum number, an end user must remove a credential to register another of the same type. Mobile Push Authentication Policy: To set a group-specific Mobile Push Authentication policy, click Per Group Policy in the Mobile Push Authentication Policy pane. You can set the following: Enable Mobile Push: Set this to Yes to allow an end user to respond to a VIP Access Push notification sent to a mobile device as the second factor when signing in. If set to No, VIP will not send a VIP Access Push notification, and the end user must use another configured method for authentication. Allow Security Code Validation: If Enable Mobile Push is set to Yes, set Allow Security Code Validation to Yes to allow an end user to enter security codes as the second factor instead of VIP Access Push during authentication requests. If set to No, the user will not be prompted for security codes. This setting does not apply to registration requests, such as with My VIP or the Self Service Portal. Note: If you set Allow Security Code Validation to No, users with a credential that only allows security code validation (such as the VIP Security Card or VIP Security Token) will not be able to authenticate. Require Number Challenge: If Enable Mobile Push is set to Yes and Require Number Challenge is set to Yes, end users are shown a unique, two-digit number during authentication requests. End users must enter the same number in the VIP Access Push that they receive on their mobile devices. Display Location Information: If Enable Mobile Push is set to Yes and Display Location Information is set to Yes, the location of the requesting app is included in the VIP Access Push that users receive on their mobile devices. The location may be affected if the user is using a VPN or if the network is mapped to a different IP address. Biometrics / Security Key Authentication Policy: To set a group-specific Biometrics / Security Key policy to allow FIDO2-enabled authenticators, click Per Group Policy in the Biometrics / Security Key Authentication Policy pane. Then, enable or disable this feature for this user group.

Remembered Devices Policy:

To set a group-specific Remembered Devices policy, click Per Group Policy in the Remembered Devices Policy pane. Then set the following:

Set the maximum number of devices your users can register. Users can register from 1 to 20 devices.

Intelligent Authentication Policy:

To set a group-specific Intelligent Authentication policy, click Per Group Policy in the VIP Intelligent Authentication Policy pane. Then set the following:

Note: You must initially configure IA for the account (Policies > Intelligent Authentication). Otherwise, IA does not have the appropriate information to accurately measure risk for the group. However, you can then disable it for the account if you only want to and enable it for groups.

	Set whether IA is enabled for this user group.
	Set whether users are always challenged for a security code for sign-in authentication, regardless of the current IA threshold or risk- based IA score.

My VIP Policy:

To set a group-specific My VIP policy, click Per Group Policy in the My VIP Policy pane. Then set the following:

	Allow or block IP address access policy: Configure blocked or allowed IP addresses by uploading up to 300 entries in a single CSV file (one IP address or one IP address range represents one entry). Show each IP address in decimal format, and separate IP address ranges with a hyphen. If you upload an IP address to both the Block policy and the Allow policy, access to the IP address is blocked. If a user is in multiple groups with different policies for the same IP address (some allowing access and some blocking access), the user?s access is blocked. Separate each entry in the file by a comma. Do not include other text, line breaks, or headers. Uploading a new list supersedes and replaces the entries you have previously configured. VIP supports both IPV4 and IPV6 formats. The following example shows acceptable IP address and IP address range formats: Example: 10.146.2.40,172.31.255.255, 192.168.0.1-192.168.0.100 Upload the CSV file to Allowed IP addresses to allow access to My VIP from the specified IP addresses. Only attempts to access My VIP from the specified IP address are allowed. Upload the CSV file to Blocked IP addresses to restrict access to My VIP from the specified IP addresses. Attempts to access My VIP from the specified IP address are denied.
	Block user group access policy: Enable this policy to block all users that are members of this user group from accessing My VIP.
	Temp security codes for third-party apps: Select Yes to allow users to generate temporary security codes in My VIP that they can use to authenticate to third-party applications such as banking apps or workplace apps. Then set how the users will receive the temporary security codes (the distribution method). You should select distribution methods which correspond to the attributes sent by the VIP Enterprise Gateway. For example, if you have configured the VIP Enterprise Gateway Self-Service Portal to send phone number attributes, you can enable SMS (Text Message) or Voice Call as distribution methods.
	My VIP credential removal policy: Select Yes to restrict users from deleting their own credentials in My VIP. A user in this group must contact a VIP administrator to delete a credential.

My VIP and VIP SSP Policy:

To set a group-specific My VIP and VIP SSP policy, click Per Group Policyin the My VIP and VIP SSP Policy pane. Then set the following:

Select Yes to allow users to generate temporary security codes for themselves that they can use to Sign In to My VIP or the VIP SSP. Then, set how the users will receive the temporary security codes (the distribution method). . You should select distribution methods which correspond to the attributes sent by the VIP Enterprise Gateway. For example, if you have configured My VIP to send phone number attributes, you can enable SMS (Text Message) or Voice Call as distribution methods.