Draft management groups

This article describes how to use the 1E PowerShell Toolkit to create and test management groups but without these groups becoming active on the 1E Platform. This allows you to ensure that the rules or membership lists in management groups or management group trees correctly define the target devices. When you are comfortable that the draft groups are correct, you can create normal management groups based on these rules or target device lists and delete the draft groups.

About draft management groups

Draft management groups are like normal management groups except that they cannot be used as scope targets in the 1E Platform. They are intended to confirm that the targets are consistent with the user’s expectations.

  • Draft management groups can only be rule-based. You cannot create a direct-based draft management group.

  • Draft management groups are always associated with a normal management group. You create a draft management group by specifying a normal management group with which it is to be associated.

  • You define the rules for the draft group and then request that membership of the group be evaluated. This process is known as simulation.

  • You can update the draft group rules and repeat the above process to refine the rules used. If you change any property of the draft group, you must re-run simulation before you can update the associated management group from the draft group.

  • Once the draft group has been confirmed through simulation, you can update the associated normal management group. This transfers the rules and other properties associated with the draft group back to the associated normal management group and then deletes the draft group.

Notes

  • Only one draft management group can be created at any time against a management group tree.

    This means that if you have, for example, a tree of ParentMg > ChildMG1 > ChildMG2, and you create a draft management group associated with ChildMG1, then you cannot create another one associated with ParentMG or ChildMG2 unless you delete the draft management group associated with ChildMG1 (or update ChildMG1 from the draft management group).

  • Only one user at a time can create a draft management group against a management group tree.

    If the above draft management group was created by User1, then until User1 deletes it or updates the management group from it, User2 cannot create or update any draft management group in the tree.

  • You cannot view draft management groups created by another user, even if you have the Full Administrator role.

  • Draft management groups are automatically deleted after a time period, which is typically 72 hours.

  • This feature alters the behavior of the API endpoint that is called by the Update-1ESLAManagementGroup cmdlet. It will throw an exception if an attempt is made to directly update a management group because it requires that a draft group has been created, simulated, and then used to update the base management group.

    To avoid backward-compatibility issues, the Update-1ESLAManagementGroup cmdlet will transparently perform these operations if necessary. However, this does mean that updates might be slower on platforms that support management group safeguarding.