Groups

This page provides information about the manual management of groups within StrongDM. You can also see the pages on Single-Sign-On and on Provisioning for details on integrations with identity providers that can manage groups in a central location.

To learn more about migrating from legacy roles (which served as a combination of groups of users and sets of permissions) to the new groups/roles structure in your StrongDM organization, see the Groups Migration section.

Groups at StrongDM are collections of principals. Admins can use groups to assign permissions to a set of users at once, or remove them, by assigning and unassigning roles. Groups and group membership are managed through StrongDM, but they also can be provisioned from your identity provider.

Manage Groups

On the Groups page in the Admin UI, you can click on the Name, Members, and Managed By to sort the list by that column, in many cases allowing you to quickly find what you are looking for without needing to use more filters. The URL in your address bar changes to reflect these column sorts, in case you wish to bookmark the page with it sorted.

If needed, you can also search for specific text or use the filters to narrow the results further.

Clicking a group opens the group details view, which allows you to see a list of members of the group, roles assigned to the group, and the group's name and description.

You can also use the CLI to list users, using the command sdm admin groups list. The response displays columns with each group's ID (used in commands to update/delete the group), its Source (StrongDM or a provisioning integration), and Name.

NAME:
   sdm admin groups list - list Groups

USAGE:
   sdm admin groups list [command options] [arguments...]

OPTIONS:
   --json, -j           output as json
   --filter value       filter e.g. 'field:name tag:key=value ...'
   --filters-help       show valid filter strings and examples
   --filter-json value  path to JSON based filter
   --timeout value      set time limit for command

Add a Group

To add a group in the Admin UI on the Principals > Groups page, click Create Group. Fill in a name for the group, add a description, and optionally add tags. Then, click Save. Once this is done, you can select your new group in the list and edit details and assign members or roles.

To add a group using the CLI, use the sdm admin groups create command.

NAME:
   sdm admin groups create - create a Group

USAGE:
   sdm admin groups create [command options] [arguments...]

OPTIONS:
   --timeout value      set time limit for command
   --description value
   --name value
   --tags value         tags e.g. 'key=value,...'

Assign Members to a Group

Principals (users, service accounts, tokens, and keys) can be added to one or more groups in order to manage them more efficiently, and add and remove permissions (via roles) to groups of individuals at one time.

In the Admin UI, you can add users or service accounts to groups by selecting the group at Principals > Groups and clicking Add members. You can also visit a user's details page by selecting the user at Principals > Users and, on the Groups tab, selecting Assign to groups.

In the CLI, you can add users or service accounts to groups by using the sdm admin groups assign-account command.

NAME:
   sdm admin groups assign-account - assign an Account to a Group

USAGE:
   sdm admin groups assign-account [command options] [arguments...]

OPTIONS:
   --timeout value     set time limit for command
   --account-id value
   --group-id value

Remove Members from a Group

In the Admin UI, members can be removed from a group by selecting the group on the Principals > Groups page and selecting Remove next to the member you wish to remove.

From the CLI, members can be removed by using the sdm admin groups unassign-account command.

NAME:
   sdm admin groups unassign-account - unassign an Account from a Group

USAGE:
   sdm admin groups unassign-account [command options] <AccountGroup ID>

OPTIONS:
   --timeout value  set time limit for command

Assign Roles to a Group

Roles determine what resources the users within a group can access. Each group may be added to one or more roles.

On the Group details page, the Roles tab displays the name of any role(s) that have been assigned to the group.

To add roles to groups in the Admin UI, open the details view of the group, select the Roles tab, and click Add role.

From the CLI, add roles to a group by using the sdm admin groups assign-role command.

NAME:
   sdm admin groups assign-role - assign a Group to a Role

USAGE:
   sdm admin groups assign-role [command options] [arguments...]

OPTIONS:
   --timeout value   set time limit for command
   --group-id value
   --role-id value

Remove Roles From a Group

To remove roles from groups in the Admin UI, open the details view of the group, select the Roles tab, and click Remove.

From the CLI, remove roles from a group by using the sdm admin groups unassign-role command.

NAME:
   sdm admin groups unassign-role - unassign a Group from a Role

USAGE:
   sdm admin groups unassign-role [command options] <GroupRole ID>

OPTIONS:
   --timeout value  set time limit for command

Migrate Legacy Roles to Groups

To learn more about migrating legacy roles (which served as a combination of groups of users and sets of permissions) to the new groups/roles structure in your StrongDM organization, see the Groups Migration section.

Last updated 1 day ago

Was this helpful?