Manage user groups
- What are user groups
- How to create a user group in your Temporal Cloud account
- How to assign roles to a user group
- How to manage users in a group
- How SCIM groups work with user groups
What are user groups?
User groups can be used to help manage sets of users that should have the same access. Instead of separately assigning the same role to individual users, a user group can be created, assigned the desired roles, and then users added to the user group. This eases the toil of managing individual user permissions and can simplify access management. When a new role is needed, it can be added to the group once and all users' access will reflect the new role.
User groups can be assigned both account-level roles and namespace-level permissions.
One user can be assigned to many groups. In the event that a user's group memberships have multiple roles for the same resource, the user will have an effective role of the most permissive of the permissions. For example if a Group A grants a read-only role to a namespace, but Group B grants a write role to a namespace then a user that belongs to both Group A and Group B would have the write role to the namespace.
Service accounts cannot be assigned to user groups.
Only users with the Account Owner or Global Admin account-level role can manage user groups.
How SCIM groups work with user groups
SCIM groups work similarly to user groups with respect to role assignment. Unlike a user group, the lifecycle of a SCIM group is fully managed by the SCIM integration which means:
- SCIM groups cannot be created except through the SCIM integration
- SCIM groups cannot be deleted except through the SCIM integration
- SCIM group membership is managed through the SCIM integration
User groups and SCIM groups can be used simultaneously in a single Temporal Cloud account. One user may belong to multiple SCIM groups and to multiple user groups.
Using user group and SCIM groups together can be useful when the groups defined in the identity provider (IDP) don't map cleanly to the access you need to grant in Temporal Cloud. Instead of having to update the IDP (which is often sensitive and time-consuming), you can use Temporal Cloud user groups to manage access.
How to create a user group in your Temporal Cloud account
To create a user group, a user must have the Account Owner or Global Admin account-level role.
- Web UI
- tcld
TODO
See the tcld user-group create command reference for details.
How to assign roles to a user group
To assign roles to a user group, a user must have the Account Owner or Global Admin account-level role.
- Web UI
- tcld
TODO
See the tcld user-group set-access command reference for details.
How to manage users in a group
To manage users in a user group, a user must have the Account Owner or Global Admin account-level role.
Users can be added or removed from a group in the following ways.
- Web UI
- tcld
TODO
See the tcld user-group add-users and the tcld user-group remove-users command reference for details.