Groups
A group is a collection of users. Administrators can
create groups and add users to them. Then, rather than
assign a role to each user individually, assign a role to
the group. Every group is in a domain. Groups were
introduced with version 3 of the Identity API (the Grizzly
release of Identity Service).
Identity API V3 provides the following group-related
operations:
Create a group
Delete a group
Update a group (change its name or
description)
Add a user to a group
Remove a user from a group
List group members
List groups for a user
Assign a role on a tenant to a group
Assign a role on a domain to a group
Query role assignments to groups
The Identity service server might not allow all
operations. For example, if using the Identity server
with the LDAP Identity back end and group updates are
disabled, then a request to create, delete, or update
a group fails.
Here are a couple examples:
Group A is granted Role A on Tenant A. If User A
is a member of Group A, when User A gets a token
scoped to Tenant A, the token also includes Role
A.
Group B is granted Role B on Domain B. If User B
is a member of Domain B, if User B gets a token
scoped to Domain B, the token also includes Role
B.