A group is a membership collection that can contain users and service accounts. It is one of the principal types of an org.

Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user.

Membership in a group for a service account can only be assigned directly.

Groups can be used by policies to grant access permissions to the group members.

Create a Group

Refer to the Create a Group guide for additional details.

Built-in Groups

Each org has the following built-in groups:

Group NameDescription
superusersBuilt-in group for all administrators of the organization
viewersBuilt-in group for read-only access

Group Notes

Groups can contain an unlimited amount of users or service accounts.

Group membership can be assigned directly or dynamically (using a query based on any tags that are labeled on a user). Service Accounts can only be assigned directly.

For example, a query can be created to dynamically assign all the users that log in using microsoft.com by using the built-in tag key firebase/sign_in_provider Equals microsoft.com.

Query Rules

To dynamically assign users to a group, a query can be defined which consists of the following:

  • One or more tags (key/value pairs) using one of the operators: Equals / Exists / Not Exists
  • One of the following query filters:
    • All: All tag items should match
    • Any: Any of the tags should match
    • None: None of these tags should match


The permissions below are used to define policies together with one or more of the four principal types:

createCreate new groups
deleteDelete a group
editModify existing groupsview
manageFull accesscreate, delete, edit, manage, view
viewRead-only view

Access Report

Displays the permissions granted to principals for the group.


To view the CLI documentation for groups, click here.