Overview
A group is a membership collection that can contain users and service accounts. It is one of the principal types of an org. Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user. Membership in a group for a service account can only be assigned directly. Groups can be used by policies to grant access permissions to the group members.Create a Group
Refer to the Create a Group guide for additional details.Built-in Groups
Each org has the following built-in groups:| Group Name | Description |
|---|---|
| superusers | Built-in group for all administrators of the organization |
| viewers | Built-in group for read-only access |
Group Notes
Groups can contain an unlimited amount of users or service accounts. Group membership can be assigned directly or dynamically (using a query based on any tags that are labeled on a user). Service Accounts can only be assigned directly. For example, a query can be created to dynamically assign all the users that log in usingmicrosoft.com by using the built-in tag key firebase/sign_in_provider Equals microsoft.com.
Query Rules
To dynamically assign users to a group, a query can be defined which consists of the following:- One or more tags (key/value pairs) using one of the operators:
Equals/Exists/Not Exists - One of the following query filters:
Permissions
The permissions below are used to define policies together with one or more of the four principal types:| Permission | Description | Implies |
|---|---|---|
| create | Create new groups | |
| delete | Delete a group | |
| edit | Modify existing groups | view |
| manage | Full access | create, delete, edit, manage, view |
| view | Read-only view |