Skip to main content
An Auto Group decides its own membership. Instead of picking members by hand, you base the group on a profile attribute, and Iru keeps the membership in sync: when a user’s attribute value matches, they join; when it stops matching, they leave. Auto Groups appear in the same catalog as manual and built-in groups and are assigned to applications the same way.
You never choose an Auto Group’s members by hand - Iru computes them from a profile attribute and keeps them in sync as profiles change.

How they work

You enable Auto Groups on an attribute. From then on, Iru groups users by their value for that attribute and keeps each group’s membership current. When an attribute drives Auto Groups, each distinct value becomes its own group. A user with Department = Engineering lands in the Engineering group; if their department later changes to Sales, Iru moves them out of the Engineering group and into the Sales group on its own. Attributes with a fixed list of allowed values are an especially clean fit, because the set of groups maps directly to the choices you defined.

Membership updates automatically

The defining trait of an Auto Group is that you never edit its members. They are recomputed from profiles, so membership stays correct as your directory changes:
  • A new user whose attribute matches is added to the group.
  • An existing user whose attribute changes is moved to the group that now matches.
  • A user whose value no longer matches - or who is removed - drops out of the group.
Because access assigned to the group follows its membership, granting an app to an Auto Group means access tracks the attribute. Set it up once, and people gain and lose access as their profiles change - no manual edits, no stale membership.
You can’t hand-pick members of an Auto Group; that’s the point. To change who’s in it, change the underlying profile data, or adjust which attribute drives the grouping. For ad-hoc membership, use a manual group instead.

Relationship to attributes

Auto Groups are only as good as the attribute behind them. Because each value becomes a group, an attribute with a fixed set of allowed values gives you a predictable, tidy set of groups, while a free-text attribute can produce a group for every distinct value people enter.
For attributes that should drive groups, define them as fixed-choice (enumeration) attributes in your schema. You’ll get one group per allowed value and avoid surprise groups from typos or inconsistent entries.
Turning Auto Groups off for an attribute, or removing the attribute, also removes the groups it produced and any access that depended on them - so review what’s assigned before you change it.

Roll Auto Groups up into a manual group

An Auto Group can be a member of a manual group, which lets you combine several Auto Groups under one umbrella. Grant access - or attach a policy - to the manual group, and everyone in the nested Auto Groups is included automatically. For example, if a Region attribute drives one Auto Group per region, create a manual Super Region - Americas group and add the US, Canada, and Brazil Region groups to it. Anyone in those regions rolls up into the umbrella group through their Auto Group, with no manual upkeep - and as people change regions, the umbrella membership follows.
Nesting goes one way: an Auto Group can be a member of a manual group, but an Auto Group’s own membership is always computed from its attribute - you can’t hand-add members to it. See Groups for how manual groups nest other groups.

Put it together

Define the attribute

In your schema, create or choose the attribute that should drive grouping - ideally one with a fixed list of allowed values.

Enable Auto Groups

Flag the attribute to drive Auto Groups. Iru creates a group for each value and computes its membership from your users’ profiles.

Assign access

Assign the Auto Groups to applications just like any other group. See Assigning access.

Let it run

As profiles change, membership and the access that follows it stay current on their own.

Next steps

Design attributes

Create the fixed-choice attributes that make the best Auto Groups.

All about groups

Compare Auto Groups with manual and built-in groups.