Managing Groups
This topic describes the basics of working with groups.
If your tenancy is federated with Oracle Identity Cloud Service, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console to manage groups.
Required IAM Policy
If you're in the Administrators group, then you have the required access for managing groups.
If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM without Identity Domains.
Tagging Resources
Apply tags to resources to help organize them according to business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.
Working with Groups
When creating a group, you must provide a unique, unchangeable name for the group. The name must be unique across all groups within your tenancy. You must also provide the group with a description (although it can be an empty string), which is a non-unique, changeable description for the group. Oracle will also assign the group a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.
If you delete a group and then create a new group with the same name, they'll be considered different groups because they'll have different OCIDs.
A group has no permissions until you write at least one policy that gives that group permission to either the tenancy or a compartment. When writing the policy, you can specify the group by using either the unique name or the group's OCID. Per the preceding note, even if you specify the group name in the policy, IAM internally uses the OCID to determine the group. For information about writing policies, see Managing Policies.
You can delete a group, but only if the group is empty.
For information about the number of groups you can have, see Service Limits.
If you're federating with an identity provider, you'll create mappings between the identity provider's groups and your IAM groups. For more information, see Federating with Identity Providers.
Using the Console
- Open the navigation menu and select Identity & Security. Under Identity, select Domains. A list of the groups in your tenancy is displayed.
- Click Create Group.
- Enter the following:
- Name: A unique name for the group. The name must be unique across all groups in your tenancy. You cannot change this later. The name must be 1-100 characters long and can include the following characters: lowercase letters a-z, uppercase letters A-Z, 0-9, and the period (.), dash (-), and underscore (_). Spaces are not allowed. Avoid entering confidential information.
- Description: A friendly description. You can change this later if you want to.
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
- Click Create Group.
Next, you might want to add users to the group, or write a policy for the group. See To create a policy.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains. A list of the groups in your tenancy is displayed.
- Locate the group in the list.
- Select the group. Its details are displayed
- Select Add User to Group.
- Select the user from the drop-down list, and then select Add User.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains. A list of the groups in your tenancy is displayed.
- Locate the group in the list.
- Select the group to display its details. A list of users in the group is displayed.
- Locate the user in the list.
- For the user you want to remove, select Remove.
- Confirm when prompted.
Prerequisite: To delete a group, it must not have any users in it.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains. A list of the groups in your tenancy is displayed.
- Locate the group in the list.
- For the group you want to delete, select Delete.
- Confirm when prompted.
This is available only through the API. If you don't have access to the API and need to update a group's description, contact Oracle Support.
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Updates Are Not Immediate Across All Regions
Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA will be able to launch instances in your home region within a minute. However, UserA will not be able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.
Use these API operations to manage groups:
- CreateGroup
- ListGroups
- GetGroup
- UpdateGroup: You can update only the group's description.
- DeleteGroup
- ListUserGroupMemberships: Use to get a list of which users are in a group, or which groups a user is in.
- AddUserToGroup: This operation results in a
UserGroupMembershipobject with its own OCID. - GetUserGroupMembership
- RemoveUserFromGroup: This operation deletes a
UserGroupMembershipobject.
For API operations related to group mappings for identity providers, see Federating with Identity Providers.