Managed groups

A managed group is a resource that represents a collection of accounts. The collection is formed by evaluating account information defined by the auth method's identity provider against the managed group's configuration; members cannot be managed manually. An account can be associated with zero or more managed groups within the same auth method. The managed group can be used as a principal within roles to assign grants.

Attributes

All managed group types have the following configurable attributes:

name - (optional) If set, the name must be unique within the account's auth method.
description - (optional)

OIDC managed group information and attributes

Membership in OIDC managed groups is evaluated when the auth method is used for authentication, based on information contained within the OIDC ID token and the OIDC User Info endpoint. Every authentication will result in a new evaluation of managed group membership.

OIDC managed groups have the following additional attributes:

filter - (required) A boolean expression defining a filter run against the provided information. For general syntax information refer to the filtering concepts page; for more specific information on the data available for this purpose refer to the managed groups filtering page.

LDAP managed group information and attributes

Membership in LDAP managed groups is evaluated when the auth method is used for authentication, based on information contained within the LDAP server. Every authentication results in a new evaluation of managed group membership. LDAP managed groups have the following additional attributes:

group-names - (required) A list of group names.

Referenced by

Service API docs

The following services are relevant to this resource:

Managed Group Service

Tutorial

Refer to the Manage users and groups with HCP Boundary tutorial to learn how to complete user management related tasks.

Refer to the Identity management tutorials to learn about OIDC, LDAP, and managed groups.