Groups
Overview
A group is a membership collection that can contain users and service accounts. It is one of the principal types of an org.
Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user.
Membership in a group for a service account can only be assigned directly.
Groups can be used by policies to grant access permissions to the group members.
Create a Group
Refer to the Create a Group guide for additional details.
Built-in Groups
Each org has the following built-in groups:
| Group Name | Description |
|---|---|
| superusers | Built-in group for all administrators of the organization |
| viewers | Built-in group for read-only access |
Group Notes
Groups can contain an unlimited amount of users or service accounts.
Group membership can be assigned directly or dynamically (using a query based on any tags that are labeled on a user). Service Accounts can only be assigned directly.
For example, a query can be created to dynamically assign all the users that log in using microsoft.com by using the built-in tag
key firebase/sign_in_provider Equals microsoft.com.
Query Rules
To dynamically assign users to a group, a query can be defined which consists of the following:
- One or more tags (key/value pairs) using one of the operators:
Equals/Exists/Not Exists - One of the following query filters:
Permissions
The permissions below are used to define policies together with one or more of the four principal types:
| Permission | Description | Implies |
|---|---|---|
| create | Create new groups | |
| delete | Delete a group | |
| edit | Modify existing groups | view |
| manage | Full access | create, delete, edit, manage, view |
| view | Read-only view |
Access Report
Displays the permissions granted to principals for the group.
CLI
To view the CLI documentation for groups, click here.