Skip to content

Groups#

In RBAC, a group is a collection of users who are sourced from your LDAP directory. Whenever you add a group to an Organization or Team, all members of that group obtain the permissions that are associated with that Organization or Team.

LDAP Group Configuration#

To use LDAP groups, the authentication must be configured for LDAP access. Included in LDAP configuration:

  • LDAP server connection information

  • A group search filter that defines the groups that are available in your LDAP directory

Add Groups to Organizations and Teams#

You can assign groups to both organizations and teams.

When you assign a group to an organization, all group members obtain the permissions of that organization. When groups are assigned to a team, all group members obtain the permissions of the team while also inheriting the permissions of the parent organization for that team.

Dynamic Nature#

The use of groups allows you to quickly change permission sets for multiple users in a dynamic sense, in response to contextual factors, user attributes, and organization-wide changes. Groups are governed by predefined rules or policies that determine access based on real-time data, such as a user’s role, department, or project assignment.

When a user is added to an LDAP group in your directory, that user automatically inherits all of the permissions granted to that group within the system. The inverse is true as well, as the user will lose the granted permissions if they are ever removed from the group. No additional configuration or system updates are needed, as changes in your LDAP directory are automatically reflected. Thus, you do not need to manually manage individual user memberships when team structures change in your directory.

Group Listing#

To obtain a list of the groups in your organization:

<insert command>

The list that prints includes:

  • Groups directly added to the Organization
  • Groups added through Teams in that Organization

To obtain a list of the groups in a team:

<insert command>

In this case, the list you receive contains only the groups that have been directly added to the indicated team.

Removing Groups#

When you remove a group from an organization or team, all of the permissions granted to the users who were members of that group are revoked.

Best Practices#

  • Use groups to manage permissions for teams of users, rather than managing individual user permissions one by one.
  • Leverage the dynamic nature of groups by making your LDAP directory the single source of truth for team structure.
  • Ensure your LDAP group search configuration includes all of the groups that you intend to use.