HashiConf Last chance to register for our cloud conference October 10-12. Register today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Groups

As more users are created within HCP, managing permissions for those identities in a consistent manner can become tedious and difficult across many projects.

HCP Groups are a capability allowing the bundling of identities and treating them as one unit while assigning roles and associating with projects. This enables logical user management and clear auditing of permissions.

Each group can have one or more user members. A group can then be associated to one or more projects. Each group can have a different roles assigned to it for each project it is associated with.

For example, consider an organization containing 4 users. 1 user has the IAM 'Admin' role and the other 3 have the 'Viewer' role. The admin creates a group named "engineers" and adds the 3 viewers as members. The group "engineers" can then be assigned to the "Development" project with the project-level 'Admin' role, the "Staging" project with the project-level 'Contributor' role and the project "Production" with the project-level 'Viewer' role.

The result of the group's project-level role assignments is such that "engineering" group members can take administrative actions within the "Development" project, create/modify resources in the "Staging" project, and continue to read resources in the "Production" project.

Development Project config for Group Role Staging Project config for Group Role Production Project config for Group Role

Note

To learn more about User permissions see the User page.

Creating a Group

Similar to users, groups are managed within Organization's Access Control (IAM). Navigate to the Access Control (IAM) page for the organization and view the Groups menu item on the left side navigation. Click the Groups menu item to create a group and assign users.

Note

Groups can only be created by users with Organization-level Admin permissions.

  1. Click Create group.
  2. Enter Group name and description.

    Note

    Group name must be unique across the whole organization.
  3. Click Create group.
  4. Click Add group members to add users to the group.
  5. Select the users to be added to the group. Then Click Add group members.

    Note

    If a user is not shown in the list, it is possible the user has not joined the HCP Organization.

Project and Role assignment

To utilize a group, it must be associated with a project and assigned a role for that project.

  1. Navigate to the Access control (IAM) page for the project to associate a group with. Organization IAM Groups Menu Item
  2. Select Groups within the side navigation.
  3. Click Add groups.
  4. Select the group to be associated with the project and click Add selected groups.
  5. Select the project-level role to be associated with the group.
  6. Click Add groups.

Role Precedence

The most elevated role is chosen when resolving multiple roles assigned to a user via groups and at the org level. For example, a user who has the admin role for an organization will have an admin role for all projects no matter what groups they're in that may have lower roles assigned for the project. In the case where a user is in multiple groups with differing roles for a project, then the highest role will be used. In the case a user is not in any group, then their organization role is what is used for the project.