HashiCorp Cloud Platform
Groups
This topic describes how to create and manage groups of users in HashiCorp Cloud Platform (HCP). A group is a set of one or more user identities that you want to manage as a single identity.
Introduction
In HCP, groups enable you to manage permissions for multiple users in a consistent manner. You can assign groups to roles and associate them with one or more projects, just as you would for individual user identities. This approach enables you to logically manage users and permissions at scale.
Each group can have a different role for each project it is associated with. The following example illustrates this capability:
- An organization has one user assigned the
Admin
IAM role and three users assigned theViewer
role. - The admin creates a group named
engineers
and adds the viewers as members. - The admin assigns the
engineers
group to three projects in the HCP organization, and assigns the group to the following projects and roles:Admin
role in the Development projectContributor
role in the Staging projectViewer
role in the Production project
As a result, members of the engineers
group would be able to perform administrative actions in the Development project, create and modify resources in the Staging project, and continue to read resources in the Production project.
To learn more about user permissions, refer to User permissions.
Requirements
You must have admin permissions for your organization to create and manage groups and users.
Create a group
- Log into the HCP portal and choose your organization.
- Click Access control (IAM) to view a list of users.
- Click Groups.
- Click Create group.
- Enter a group name and description. Group names must be unique across the entire organization.
- Click Create group.
- Click Add group members to add users to the group.
- Choose users to add to the group and click Add group members. If you expect a specific user that does not appear in the list, verify that the user has joined the HCP organization.
Assign group roles for members
Once members have been added to your group, you can manage their group role. Within a group, each role has certain permissions that determine who can view and manage the group.
Group role permissions
The following table describes role permissions for each group role.
Group Permissions | Member | Manager |
---|---|---|
View group | ✅ | ✅ |
Manage group details | ❌ | ✅ |
Manage group membership | ❌ | ✅ |
Manage group roles | ❌ | ✅ |
Note
All members with more permissive organization roles are inherently group managers regardless of exposed roles.
Edit group roles
- Log into HCP Portal and choose your organization.
- Click Access Control (IAM).
- Click Groups.
- Click into the group you want to edit group roles in.
- Under members, choose the user's role you want to edit and click Edit role from the drop-down.
- Choose the group role for that user and click Save.
Assign a project and role
- From the HCP portal choose the project you want to assign a group to.
- From the project dashboard, click Access control (IAM).
- Click Groups.
- Click Add groups.
- Click Select groups. Select one or more groups from the list and then click Add selected groups.
- Select a scope and role to set the group's permissions for the project. Then click Add groups.
- Click Add groups.
Role precedence
When a user is a member of a group that has permission conflicts with the user's permissions in the organization, HCP enforces the most elevated role assigned to the user.
For example, a user assigned the admin role for an organization is an admin for all projects, regardless of the project roles assigned to the groups they are members of.
When a user is in multiple groups with different roles for a project, then HCP enforces the highest role.
When a user is not a member of any group, then HCP enforces their organization role for the project.