Working with User and System Groups


Users in your account are included within two different types of groups.


Note: This article provides information for Single User Identity. For more information about the Single User Identity changes, see Understanding the Single User Identity.

User Groups

User groups are objects for use in rules, policies, or assigning licenses. For example, if you add a User group to a rule within your Internet Firewall policy, that rule applies to all the users within the User group. There are three types of User group:

  • System groups: Automatically created

  • SCIM/LDAP defined: Provisioned from your IdP

  • User defined: Manually created

You can view the User groups in your account from the Access > User Groups page.

Understanding System Defined User Groups

Cato automatically creates the All Users System User group. This contains all the users created in your account. Use this User group if you want a rule, policy, or settings to apply to all users.

If you have at least one WMI controller configured, these System User groups are also created:

  • All Users Pending Identification: Users that have been synced but have not signed into the Client

  • All Unidentified Users: Users that cannot be identified

  • All Unmapped Users: Uses that can be identified, but cannot be matched to information (e.g. organizational data) that synced from LDAP

System Groups for Assigning Licenses

System groups are objects for assigning SPD licenses to users, they are only visible on the Access > License Assignment page. For example, you can assign a SDP license to all manually created users. System groups cannot be used in rules or polices. There are three types of System group:

  • All LDAP users: All users provisioned with LDAP

  • All SCIM users: All users provisioned with SCIM

  • All Manual users: All users created manually

For more information about assigning SDP licenses, see Assigning SDP Licenses to Users (EA).

Showing User Groups and Members


To show the members of a User group:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. In the navigation menu, click Members. The group members are displayed.

Adding User Groups

You can you define User groups and their members. For User groups that are created as part of SCIM or LDAP user provisioning:

  • Definitions in the General pane are defined by the Cato Management Application and can't be modified

  • To modify members of LDAP or SCIM User groups, modify the settings in the AD or IdP

  • The Type of the User group is SCIM defined or LDAP defined

To add a group and define its members:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. Click New. The Create User Group panel opens.

  3. Enter the group Name and click Apply. The User group is added to the screen.

  4. Click the User group. The General screen for the User group opens.

  5. (Optional) Enter a Description.

  6. Add the items that are the members of this group:

    1. In the navigation menu, click Members. The User group members are displayed.

    2. From the Add Members drop-down menu, select the type of member to add (SDP User or User).

    3. Select all the users that you are including in the User group.

      The SDP Users and Users are added to the Members list.

  7. Click Save.

Deleting User Groups

To remove a User group, you must first remove it from anywhere it is used in other policies and rules in the Cato Management Application. For example, if you don't remove the User group from security and network rules, then you can't delete the group.


Note: You cannot undo a deletion.

To delete a User group:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. Click Delete.png (Delete) next to the User group you wish to delete.

    A confirmation window opens.

  3. Click Delete.

    The User group is deleted.

Was this article helpful?


Add your comment