Managing Groups

A group has no permissions until you do one of the following:
  • Write at least one policy that gives that group permission to either the tenancy or a compartment. When writing the policy, you can specify the group by using either the unique name or the group's OCID. For information about writing policies, see Managing Policies.
  • Assign the group to an application.

The All-Domain-Users group is a group that's created by IAM. All identity domain users are assigned to this group by default. If you assign this group to any of your applications, then all users are assigned to these applications indirectly.

For a user, the All-Domain-Users group doesn't appear in the Groups tab because this group is assigned automatically when a new user is created. Also, because this group is created by IAM, and not by an administrator, you can't delete this group.

For information about the number of groups you can have, see IAM Object Limits.

Required Policy or Role

To manage identity domain settings, you must have one of the following access grants:
  • Be a member of the Administrators group
  • Be granted the Identity Domain Administrator role or the Security Administrator role
  • Be a member of a group granted manage domains

To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.