search

Groups

Groups are used to manage access for multiple users at once by assigning roles collectively instead of individually.

A group does not define permissions on its own. It acts as a container for roles, and users inherit permissions by becoming members of a group.

hashtag
What Is a Group?

A group is a logical collection of roles.

Groups are designed to:

  • Simplify access management for teams

  • Reduce repetitive role assignments

  • Minimize operational errors when onboarding or offboarding users

A group has no effect unless:

  • At least one role is attached to it, and

  • At least one user is added to the group

hashtag
What Groups Can and Cannot Do

hashtag
Groups Can

  • Contain one or more roles

  • Be attached to users

  • Grant all attached roles to all group members

hashtag
Groups Cannot

  • Contain policies directly

  • Contain other groups (no nested groups)

  • Be attached to other groups

hashtag
Creating a Group

To create a new group:

  1. Navigate to IAM → Groups

  2. Click Create Group

  3. Enter:

    • Group Name (required)

    • Description (recommended)

  4. Attach roles (optional at creation time)

    • Search is available to find roles

    • Both preset and custom roles can be attached

  5. Click Create Group

hashtag
Putting a Group Into Effect

Creating a group alone does not grant access to anyone.

To apply a group:

  • Add users to the group

    1. Navigate to IAM → Users

    2. Open a user

    3. Click Edit

    4. Attach the group

    5. Save changes

Once attached, the user immediately inherits:

  • All roles attached to the group

  • All permissions defined by those roles

hashtag
Editing a Group

You can edit a group to:

  • Add roles

  • Remove roles

hashtag
Downstream Impact of Editing

circle-exclamation

Editing a group has immediate downstream effects.

Any change to a group affects:

  • All users who are members of the group

Changes may:

  • Grant additional access

  • Revoke existing access

  • Impact active workflows

hashtag
Deleting a Group

Groups cannot be deleted while they are attached to users.

To delete a group:

  1. Identify all users assigned to the group

  2. Navigate to each user

  3. Remove the group from the user

  4. Return to the group

  5. Delete the group

Deletion permanently removes the group and its role mappings.

hashtag
Best Practices

hashtag
Use Groups for Teams

Groups are best suited for:

  • Engineering teams

  • Operations teams

  • Functional roles (e.g., Networking, DevOps, Finance)

Avoid using groups for:

  • Individual users

  • Temporary or one-off access

hashtag
Prefer Stable Group Definitions

Recommended:

  • Keep group membership dynamic

  • Keep role attachments stable

Avoid:

  • Frequently changing roles attached to widely used groups

  • Overloading a single group with too many roles

hashtag
Combine Groups With Roles Carefully

Best practice pattern:

  • Roles define what access exists

  • Groups define who gets that access

This separation makes access easier to audit, safer to modify, and simpler to scale.

circle-info

We recommend creating a role and attaching it to a Group which is in turn attached to a user rather than directly attaching a role to a user along with groups. This helps with permission auditability as well.

Last updated

Was this helpful?