Working with User Groups

Overview of User Groups

You can create User groups for SDP users and users (for User Awareness) as global objects across the Cato Management Application to be used in different rules, policies, and settings. For accounts that use SCIM or LDAP for user provisioning, the SDP users and users are synced to your account and the relevant User groups are created.

Define the items in the Cato Management Application that are members of the group. You can also define special configurations for User Groups relating to DNS and Proxy Configuration. Any special configurations you define for a group apply only to the relevant SDP and users in that group. For more about defining settings for specific User Groups, see:

User Groups and the Identity Agent for User Awareness

For accounts that use the Client as an Identity Agent for User Awareness, the Cato Cloud uses different methods to identify authenticated SDP users and User Awareness users with the Identity Agent. This means that if there is a group in the IdP for User Awareness users, and one of those users is also an SDP user, then the corresponding User group contains two items, one for the SDP user and one for the User Awareness user. Any policy with the User group will automatically apply to the user whether they authenticated with the Client or not.

For example, if Alice Smith is an SDP user (with an SDP license), and she belongs to a group for User Awareness users. The User group contains two items for Alice Smith, one SDP user and one user. In addition, if that User group is added to a firewall block rule, then Alice Smith would match that rule and be blocked regardless if she is authenticated with the Client or not.

Understanding System Defined User Groups

Cato automatically creates the All SDP Users System User group. This contains all the SDP users created in your account. Use this User group if you want a rule, policy, or settings to apply to all SDP users.

If you have at least one WMI controller configured, these System User groups are also created:

  • All Users Pending Identification: Users that have been synced but have not signed into the Client

  • All Unidentified Users: Users that cannot be identified

  • All Unmapped Users: Uses that can be identified, but cannot be matched to information (e.g. organizational data) that synced from LDAP

Showing User Groups and Members


To show the members of a User group:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. In the navigation menu, click Members. The group members are displayed.

Adding User Groups

You can you define User groups and their members. For User groups that are created as part of SCIM or LDAP user provisioning:

  • Definitions in the General pane are defined by the Cato Management Application and can't be modified

  • To modify members of LDAP or SCIM User groups, modify the settings in the AD or IdP

  • The Type of the User group is SCIM defined or LDAP defined

To add a group and define its members:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. Click New. The Create User Group panel opens.

  3. Enter the group Name and click Apply. The User group is added to the screen.

  4. Click the User group. The General screen for the User group opens.

  5. (Optional) Enter a Description.

  6. Add the items that are the members of this group:

    1. In the navigation menu, click Members. The User group members are displayed.

    2. From the Add Members drop-down menu, select the type of member to add (SDP User or User).

    3. Select all the users that you are including in the User group.

      The SDP Users and Users are added to the Members list.

  7. Click Save.

Deleting User Groups

To remove a User group, you must first remove it from anywhere it is used in other policies and rules in the Cato Management Application. For example, if you don't remove the User group from security and network rules, then you can't delete the group.


Note: You cannot undo a deletion.

To delete a User group:

  1. In the navigation menu, click Access > User Groups and select the User group.

  2. Click Delete.png (Delete) next to the User group you wish to delete.

    A confirmation window opens.

  3. Click Delete.

    The User group is deleted.

Was this article helpful?


Add your comment