Groups
Groups let you organize users into logical collections - by team, department, project, or any other criteria. Roles assigned to a group are inherited by all group members, simplifying permission management at scale.
How Groups Work
When you assign a role to a group, every member of that group automatically receives the role's permissions. When a user is removed from the group, they lose those permissions (unless the role is also directly assigned).
Managing Groups
Create a Group
- Go to
/t/{tenantSlug}/portal/access-management/groups - Click Create Group
- Enter group details:
| Field | Description | Example |
|---|---|---|
| Name | Display name | Engineering |
| Slug | Machine-readable identifier | engineering |
| Description | Group purpose | Engineering team members |
Add Members
- Open the group
- Click Add Members
- Search and select users to add
Assign Roles to a Group
- Open the group
- Click the Roles tab
- Add roles that all group members should inherit
API Examples
# Create a group
curl -X POST https://your-domain.com/t/{tenantSlug}/api/v1/groups \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{
"name": "Engineering",
"slug": "engineering",
"description": "Engineering team"
}'
# Add a user to a group
curl -X POST https://your-domain.com/t/{tenantSlug}/api/v1/groups/{groupId}/members \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{"userId": "user-uuid"}'
# Assign a role to a group
curl -X POST https://your-domain.com/t/{tenantSlug}/api/v1/groups/{groupId}/roles \
-H "Authorization: Bearer {admin_token}" \
-H "Content-Type: application/json" \
-d '{"roleId": "role-uuid"}'
Permission Resolution
A user's effective permissions come from:
- Directly assigned roles - Roles assigned to the user
- Group-inherited roles - Roles assigned to groups the user belongs to
Use Cases
| Scenario | Groups Setup |
|---|---|
| Team-based access | One group per team (Engineering, Marketing, Sales) |
| Project-based access | One group per project with project-specific roles |
| Department hierarchy | Groups for departments, sub-groups for teams |
| Temporary access | Add user to a group for temporary elevated access, remove later |
| Onboarding | Add new employee to their team's group - they inherit all needed roles |
Related Guides
- Roles & Permissions - Define roles and permissions
- ABAC - Use group membership as an attribute in policies
- Access Control Overview - Compare all authorization models