# Groups Groups are used to **manage access for multiple users at once** by assigning roles collectively instead of individually. A group does not define permissions on its own. It acts as a **container for roles**, and users inherit permissions by becoming members of a group. *** ### What Is a Group? A group is a logical collection of **roles**. Groups are designed to: * Simplify access management for teams * Reduce repetitive role assignments * Minimize operational errors when onboarding or offboarding users A group has no effect unless: * At least one role is attached to it, and * At least one user is added to the group *** ### What Groups Can and Cannot Do #### Groups Can * Contain one or more roles * Be attached to users * Grant all attached roles to all group members #### Groups Cannot * Contain policies directly * Contain other groups (no nested groups) * Be attached to other groups ### Creating a Group To create a new group: 1. Navigate to **IAM → Groups** 2. Click **Create Group** 3. Enter: * **Group Name** (required) * **Description** (recommended) 4. Attach roles (optional at creation time) * Search is available to find roles * Both preset and custom roles can be attached 5. Click **Create Group** *** ### Putting a Group Into Effect Creating a group alone does not grant access to anyone. To apply a group: * **Add users to the group** 1. Navigate to **IAM → Users** 2. Open a user 3. Click **Edit** 4. Attach the group 5. Save changes Once attached, the user immediately inherits: * All roles attached to the group * All permissions defined by those roles *** ### Editing a Group You can edit a group to: * Add roles * Remove roles #### Downstream Impact of Editing {% hint style="warning" %} Editing a group has immediate downstream effects. Any change to a group affects: * All users who are members of the group Changes may: * Grant additional access * Revoke existing access * Impact active workflows {% endhint %} *** ### Deleting a Group Groups cannot be deleted while they are attached to users. To delete a group: 1. Identify all users assigned to the group 2. Navigate to each user 3. Remove the group from the user 4. Return to the group 5. Delete the group Deletion permanently removes the group and its role mappings. *** ### Best Practices #### Use Groups for Teams Groups are best suited for: * Engineering teams * Operations teams * Functional roles (e.g., Networking, DevOps, Finance) Avoid using groups for: * Individual users * Temporary or one-off access *** #### Prefer Stable Group Definitions Recommended: * Keep group membership dynamic * Keep role attachments stable Avoid: * Frequently changing roles attached to widely used groups * Overloading a single group with too many roles *** #### Combine Groups With Roles Carefully Best practice pattern: * Roles define **what access exists** * Groups define **who gets that access** This separation makes access easier to audit, safer to modify, and simpler to scale. {% hint style="info" %} We recommend creating a role and attaching it to a Group which is in turn attached to a user rather than directly attaching a role to a user along with groups. This helps with permission auditability as well. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloud.olakrutrim.com/basics/identity-access-management/groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.