To make permissions management easier, you can assign roles to groups and individual users.

Using group roles, you can:

  • Manage roles for multiple users at once.
  • Apply role changes in bulk.
  • See users that have a certain role by viewing group members.

    You can use roles to manage permissions for groups of administrators. Learn more in Managing administrators.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. Learn more in Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

  • You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.
  • An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.
  • You cannot assign roles to a group that you are a member of.
  • You cannot add or remove yourself from a group that has roles assigned to it.
  • Roles assigned to a group will not affect roles that are assigned to a user individually.
  • You can assign roles in up to 500 groups.

Learn more in Creating a group and Managing group membership.