---
title: Groups
description: Groups may not be enabled in your tenant. To check if groups are enabled, from the Advanced Identity Cloud admin console, go to Identities > Manage. If Alpha realm - Groups is present, then groups are enabled.
component: pingoneaic
page_id: pingoneaic:idm-objects:groups
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/groups.html
keywords: ["Data Object Model", "Groups", "Relationships"]
---

# Groups

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Groups may not be enabled in your tenant. To check if groups are enabled, from the Advanced Identity Cloud admin console, go to Identities > Manage. If Alpha realm - Groups is present, then groups are enabled.If this is not present, enable groups using the [Feature enablement](../idm-rest-api/endpoints/rest-feature.html) endpoint.If you previously used AM static groups, create a Ping Identity [support case](https://support.pingidentity.com/s/) for guidance on how to migrate group membership to managed groups. |

Groups are an important tool for identity management because they simplify managing collections of users by applying permissions and authorizations to all members of a group rather than to individual users. Groups may follow an organization structure or be based on the needs and privileges of an arbitrary set of users.

The managed *group* object is a default managed object type and is defined like any other managed object type. Managed groups simplify management by using common groups across the entire platform.

Users are made members of groups through the [relationships](relationships.html) mechanism. You should understand how relationships work before you read about IDM groups.

A group can be assigned to a user manually, as a static value of the user's `groups` attribute, or dynamically, as a result of a condition or script. For example, a user might be assigned to a group such as `sales` dynamically, if that user is in the `sales` organization.

A user's `groups` attribute takes an array of *references* as a value, where the references point to the managed groups. For example, if user bjensen has been assigned to two groups (`employees` and `supervisors`), the value of bjensen's `groups` attribute would look something like the following:

```json
"groups": [
  {
    "_ref": "managed/realm-name_group/employees",
    "_refResourceCollection": "managed/realm-name_group",
    "_refResourceId": "employees",
    "_refProperties": {
      "_id": "38a23ddc-1345-48d6-b753-ad97f472a90e",
      "_rev": "ae6e63c4-94f5-463b-8bef-7a359b8e3004-1692"
    }
  },
  {
    "_ref": "managed/realm-name_group/supervisors",
    "_refResourceCollection": "managed/realm-name_group",
    "_refResourceId": "supervisors",
    "_refProperties": {
      "_id": "0fabd212-f0c2-4d91-91f2-2b211bb58e89",
      "_rev": "ae6e63c4-94f5-463b-8bef-7a359b8e3004-1974"
    }
  }
]
```

|   |                                                                                                                                                                                                                                                                                                                                                       |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | We recommend you use managed objects for all data management in Advanced Identity Cloud. While managed groups display in the AM admin UI and can serve the same function as a static group created in AM, they are not the same. A managed group supports dynamic, conditional membership you can leverage in other parts of Advanced Identity Cloud. |

The `_refResourceCollection` is the container that holds the group. The `_refResourceId` is the ID of the group. The `_ref` property is a resource path derived from the `_refResourceCollection` and the URL-encoded `_refResourceId`. `_refProperties` provides more information about the relationship.

|   |                                                                                                                                                                    |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | In most cases, Advanced Identity Cloud uses UUIDs as the `_id` for managed objects. Managed groups are an exception: the `_id` and `name` properties should match. |