Oracle Cloud Infrastructure Documentation

Managing Groups

This topic describes the basics of working with groups.

Important

If your tenancy is federated with Oracle Identity Cloud Service, see Adding Groups and Users for Tenancies Federated with Oracle Identity Cloud Service to manage groups.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing groups.

For a policy that only gives someone power to determine what groups users are in, see Let group admins manage group membership.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Groups

When creating a group, you must provide a unique, unchangeable name for the group. The name must be unique across all groups within your tenancy. You must also provide the group with a description (although it can be an empty string), which is a non-unique, changeable description for the group. Oracle will also assign the group a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

Note

If you delete a group and then create a new group with the same name, they'll be considered different groups because they'll have different OCIDs.

A group has no permissions until you write at least one An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that gives that group permission to either the tenancy or a compartment. When writing the policy, you can specify the group by using either the unique name or the group's OCID. Per the preceding note, even if you specify the group name in the policy, IAM internally uses the OCID to determine the group. For information about writing policies, see Managing Policies.

You can delete a group, but only if the group is empty.

For information about the number of groups you can have, see Service Limits.

If you're federating with an identity provider, you'll create mappings between the identity provider's groups and your IAM groups. For more information, see Federating with Identity Providers.

Using the Console

To create a group
To add a user to a group
To remove a user from a group
To delete a group
To update a group's description
To apply tags to a group

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Note

Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA will be able to launch instances in your home region within a minute. However, UserA will not be able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage groups:

For API operations related to group mappings for identity providers, see Federating with Identity Providers.