Docs
[IAM]

Groups

Groups are a logical way to organise users within a Realm and simplify access management across organisations, roles, and permissions.

Instead of assigning roles and permissions to individual users, groups allow access to be managed at scale.

What is a group?

A group is a collection of users that share a common purpose, structure, or access pattern.

Groups are used to:

  • Organise users into teams or functional units
  • Assign roles to multiple users at once
  • Simplify permission management
  • Reduce direct user-level access configuration

A group itself does not grant access directly — it is used to inherit roles and permissions.

Groups in IAM structure

Groups sit between users and roles in the IAM model:

User → Group → Role → Permission

This allows access to be centrally managed while still being flexible per organisation or realm.

Groups and users

Users can:

  • Belong to one or multiple groups
  • Inherit access based on group membership
  • Move between groups as their responsibilities change

This makes groups a flexible mechanism for structuring access without modifying individual user permissions.

Groups and roles

Groups are primarily used to assign roles.

This means:

  • A group can contain multiple roles
  • All users in a group inherit those roles
  • Roles define the actual permissions granted

This separation ensures that access is defined once and reused across many users.

Organisation context

Groups always operate within the context of an organisation.

This means:

  • Groups are scoped per organisation
  • The same group name can exist in different organisations
  • Access is evaluated based on organisation context

This allows each organisation to structure its own teams independently.

Use cases

Groups are commonly used for:

  • Teams (engineering, finance, support)
  • Customer segments
  • Partner or reseller access structures
  • Administrative vs. standard user separation
  • Project-based access control

Dynamic access control

Groups enable scalable and dynamic access management:

  • Add a user to a group → they inherit all access
  • Remove a user from a group → access is revoked automatically
  • Update group roles → changes apply to all members

This reduces the need for manual permission management per user.

Security model

Groups support IAM security by:

  • Centralising access assignment
  • Reducing configuration errors at user level
  • Ensuring consistent role application
  • Maintaining auditability of access changes

All group changes are tracked and evaluated in real time.

Why groups matter

Groups are essential for scaling IAM because they:

  • Simplify access control for large user bases
  • Enable consistent role assignment across users
  • Reduce operational overhead in permission management
  • Provide structure within organisations and realms

Without groups, IAM would require individual permission management for every user, making it unscalable.