.png)
Group-Based User Management
User groups are a powerful tool that, if initially configured correctly, can help you with secure access control, automatic functions, rights, quotas and other assignments, and overall user management. You can create internal MyQ groups (used only in the context of your MyQ environment) together with your current organizational structure in Active Directory, Entra ID, or LDAP servers, or you might not create any internal groups and use only your existing organizational group memberships.
Concept of Group-based User Management
The idea behind group-based management is simple:
Your users are likely already categorized into groups based on their department or access control level.
Suppose you preconfigure the MyQ environment to utilize your organization’s group structure and security groups and create group-based rules in MyQ. Every time a new user is created, for example, synchronized from Active Directory or self-created their account, they get instant access to functions you predefined for them based on their group membership.
This way you can minimize the need to manage individual users and their rights, accounting, and access to MyQ functions.
Where you can utilize group-based management:
User rights – set the access level for user groups, e.g. define who can view or manage various aspects of the MyQ environment, e.g. printers, reports, queues, and more.
Queue access – set who can print to which queue, and automatically deploy print drivers to the user group with Desktop Client’s printer provisioning.
User job and device policies – you may restrict changes in print options for specific groups or guest users.
Embedded terminals – every terminal action, such as for scanning, copying, access to device native panel applications, custom device applications, ID card registration, and more, can be configured and thus visible only to specific user groups
Accounting and reporting – accounting groups, cost centers, shared quotas between all users of a group or individual quotas for each group member; preset user group filters are helpful in reports which you can schedule to be run automatically.
As you can see in the list above, many aspects of the MyQ environment can be preconfigured per user group, and every new member of such a group will have the experience of using MyQ they are supposed to have.
Synchronize Group Memberships
To use your current organizational structure, create user synchronization sources from your desired directory and adjust the settings related to group synchronization.
Add Synchronization
Read how to effectively configure synchronization from Active Directory, Entra ID, Novell, OpenLDAP, and Lotus Domino, especially regarding required usernames, aliases, ID card/PIN synchronization, and other user profile attributes: Synchronize Users.
Configure Group Synchronization
Entra ID, LDAP, Active Directory
In a synchronization source, you can adjust the level of synchronization on the Groups tab. It is possible to select from the following levels:
Do not synchronize
Full synchronization
Synchronize if not empty
Add new
These settings allow you to:
Skip group synchronization altogether (Do not synchronize)
Synchronize groups 1:1 as they are in the source (Full synchronization), meaning the user is both added to and removed from groups as it is in the source.
Leave a user in at least one group even after they lose all memberships in the directory (Synchronize if not empty).
Ensure that once a user is assigned to a group in MyQ, they do not lose this membership even after they are removed from a group in the source directory (Add new).
CSV
If group memberships exist in the CSV file (and the CSV syntax is correct), groups are created, and users are assigned to them.
Active Directory and LDAP group attributes
In LDAP, including Active Directory, it is possible to define additional group memberships from the user’s attribute, distinguished name, or the memberOf attribute.
This gives you the flexibility to choose where MyQ gets each user's group membership information from.
These settings are then combined, and the user becomes a member of all detected groups.
Example of LDAP group settings
Manual Synchronization
You can synchronize all or selected user groups and users manually:
in Settings → User Synchronization by clicking Synchronize now (only enabled synchronization sources are used), or
in Settings → Task Scheduler by running the User Synchronization task manually.
If you synchronize large numbers of users or groups manually, it is recommended to do it from the Task Scheduler page. There is a timeout applied when you run synchronization from the User Synchronization page and it might not be completed in time.
Automatic Synchronization
Groups will also be updated automatically as per the settings above if you schedule a task for user synchronizations, e.g. every night, to keep your user group list up to date. All user synchronization sources in Settings → User Synchronization will be performed per their settings.
Update and Customize Group Memberships from a Directory
You can combine multiple synchronization sources and use them to update the synchronized users if required.
A common use case is an update of users with an additional CSV file import:
Create a synchronization source, e.g. Active Directory in which you enable Export to CSV after successful import.
Run the Active Directory synchronization which imports users and also exports them into CSV.
Programmatically modify the CSV file according to your required adjustments with scripting, for example with PowerShell.
Create another synchronization source from the CSV created in Step 2, and schedule it to run after the AD synchronization (for example after 30 minutes).
This enables not only additional adjustment in user groups and users but also allows you to add users into internal MyQ groups that do not exist in the directory source or database.