> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Group

> Groups organize users and service accounts for access control. Supports direct membership assignment and dynamic query-based membership rules.

## Overview

A group is a membership collection that can contain [users](/reference/user) and [service accounts](/reference/serviceaccount). It is one of the [principal types](/concepts/access-control) of an [org](/reference/org).

Membership in a group for a user account can be assigned directly or dynamically using a query based on a [tag](/core/misc#tags) (key/value pair) that has been labeled on a user.

Membership in a group for a [service account](/reference/serviceaccount) can only be assigned directly.

Groups can be used by [policies](/reference/policy) to grant access permissions to the group members.

## Create a Group

Refer to the [Create a Group](/guides/create-group) guide for additional details.

## Built-in Groups

Each [org](/reference/org) has the following built-in groups:

| Group Name | Description                                               |
| :--------- | :-------------------------------------------------------- |
| superusers | Built-in group for all administrators of the organization |
| viewers    | Built-in group for read-only access                       |

## Group Notes

Groups can contain an unlimited amount of [users](/reference/user) or [service accounts](/reference/serviceaccount).

Group membership can be assigned directly or dynamically (using a [query](#query-rules) based on any [tags](/core/misc#tags) that are labeled on a [user](/reference/user)). [Service Accounts](/reference/serviceaccount) can only be assigned directly.

For example, a [query](#query-rules) can be created to dynamically assign all the users that log in using `microsoft.com` by using the built-in tag key `firebase/sign_in_provider` Equals `microsoft.com`.

## Query Rules

To dynamically assign users to a group, a query can be defined which consists of the following:

* One or more [tags](/core/misc#tags) (key/value pairs) using one of the operators: `Equals` / `Exists` / `Not Exists`
* One of the following query filters:
  * `All`: All [tag](/core/misc#tags) items should match
  * `Any`: Any of the [tags](/core/misc#tags) should match
  * `None`: None of these [tags](/core/misc#tags) should match

## Permissions

The permissions below are used to define [policies](/reference/policy) together with one or more of the four
[principal types](/concepts/access-control):

| Permission | Description            | Implies                            |
| :--------- | :--------------------- | :--------------------------------- |
| create     | Create new groups      |                                    |
| delete     | Delete a group         |                                    |
| edit       | Modify existing groups | view                               |
| manage     | Full access            | create, delete, edit, manage, view |
| view       | Read-only view         |                                    |

## Access Report

Displays the permissions granted to principals for the group.

## CLI

To view the CLI documentation for groups, see the [Group CLI reference](/cli-reference/commands/group).