Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user.
Membership in a group for a service account can only be assigned directly.
Groups can be used by policies to grant access permissions to the group members.
Refer to the Create a Group guide for additional details.
Each org has the following built-in groups:
|superusers||Built-in group for all administrators of the organization|
|viewers||Built-in group for read-only access|
For example, a query can be created to dynamically assign all the users that log in using
microsoft.com by using the built-in tag
To dynamically assign users to a group, a query can be defined which consists of the following:
|create||Create new groups|
|delete||Delete a group|
|edit||Modify existing groups||view|
|manage||Full access||create, delete, edit, manage, view|
Displays the permissions granted to principals for the group.
To view the CLI documentation for groups, click here