Groups
Groups let you collect users — by team, department, project, or any criterion — and assign roles to the group rather than to each member. Every member inherits the roles the group holds, so adding or removing a user from the group changes their effective permissions without touching individual role assignments.
Use groups when many users share the same access needs. Groups slot on top of RBAC — they do not replace roles.
How Groups Work
Assign a role to a group and every member picks up the role's permissions. Remove a user from the group and they lose those permissions (unless the same role is also assigned directly to them).
Managing Groups
Create a Group
- Go to
/orgs/{orgId}/portal/access-management/groups. - Click Create Group.
- Fill in:
| Field | Description | Example |
|---|---|---|
| Name | Display name | Engineering |
| Slug | Machine-readable identifier | engineering |
| Description | Group purpose | Engineering team members |
Add Members
- Open the group.
- Click Add Members.
- Search for and select users to add.
Assign Roles to a Group
- Open the group.
- Click the Roles tab.
- Add roles every group member should inherit.
API Examples
# Create a group
curl -X POST https://your-domain.com/orgs/{orgId}/api/v1/groups \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{
"name": "Engineering",
"slug": "engineering",
"description": "Engineering team"
}'
# Add a user to a group
curl -X POST https://your-domain.com/orgs/{orgId}/api/v1/groups/{groupId}/members \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{"userId": "user-uuid"}'
# Assign a role to a group
curl -X POST https://your-domain.com/orgs/{orgId}/api/v1/groups/{groupId}/roles \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{"roleId": "role-uuid"}'
Permission Resolution
A user's effective permissions come from two sources:
- Directly assigned roles — roles attached to the user.
- Group-inherited roles — roles attached to groups the user belongs to.
Use Cases
| Scenario | Groups Setup |
|---|---|
| Team-based access | One group per team (Engineering, Marketing, Sales) |
| Project-based access | One group per project with project-specific roles |
| Department hierarchy | Groups for departments, sub-groups for teams |
| Temporary elevated access | Add user to the group, remove when no longer needed |
| Onboarding | Add a new hire to their team's group — they inherit all required roles |
Related
- Roles & Permissions — define roles and permissions.
- ABAC — reference group membership from policy conditions.
- Access Control Overview — compare all authorization models.