Access Groups

Access groups control which users can reach which applications.

How access works

Access in Cetegra Connect is always group-based:

User → Access Group → Application → Network Segments

A user can reach an application only if they are a member of an access group that is assigned to that application. There is no direct user-to-application assignment.

This means:

  • Granting access = adding a user to an access group
  • Revoking access = removing a user from an access group
  • The same group can be assigned to multiple applications

Viewing access groups

Go to Access Groups in the sidebar. The list shows all access groups configured for your organisation. For each group you can see:

  • Display name and description
  • Number of members
  • Applications the group is assigned to
  • Membership type (assigned or dynamic)
  • Creation date

Click any group to open its detail view.

Group detail view

The detail view shows:

  • Applications assigned to this group — the connections users in this group can reach
  • Membership type — whether members are manually assigned or automatically added via a rule
  • Member count

Group membership itself (the list of individual users) is managed in Microsoft Entra, not in this console. To see a user’s group memberships, go to Users and open their detail view.

Checking a user’s access

To find out which applications a specific user can reach:

  1. Go to Users and search for the user.
  2. Open the user’s detail view and check their group memberships.
  3. Return to Access Groups and look up each of those groups to see which applications they are assigned to.

Alternatively, use the Access Report (in the sidebar) for a complete visual map of the access chain.

Dynamic membership groups

Some groups use a dynamic membership rule — for example, “all users in the Finance department”. These groups are managed automatically by Microsoft Entra based on user attributes. You can identify them by the Dynamic membership type indicator in the group list.

Access lifecycle tools

Because access groups are standard Microsoft Entra security groups, they integrate with other Cetegra features that help manage membership in a structured way — beyond simply adding and removing users manually.

Self-service access requests

Cetegra Workspace Catalog lets you expose any access group as an orderable product in a self-service store. Users can request access themselves, and the request is routed through a configurable approval process before they are added to the group.

Notable capabilities:

  • Multi-step approvals — define one or more approval steps, with multiple approvers per step
  • Auto-approval for specific groups — members of a chosen group can be approved automatically
  • Time-limited access — grant membership for a set number of days; the user is removed from the group automatically when the period expires
  • Order tracking — requesters and approvers can follow the status at any time

This makes it practical to offer network access in a controlled, auditable way without requiring an administrator to manually manage every request.

Read more in the Workspace Catalog documentation →

Periodic membership reviews

Cetegra Workspace Group Review lets designated reviewers regularly audit who is in a group and confirm that every member still needs their access. This is useful for ongoing compliance and access hygiene.

Notable capabilities:

  • Configurable review intervals and overdue grace periods
  • Reviewers receive email reminders when a review is due
  • Full audit trail of membership changes and review history per group

Read more in the Workspace Group Review documentation →

← Groups
CMDB Workspace →