Assigning roles to groups is more efficient than assigning the same permissions to individual users one at a time. As an Organization Owner user, you create groups and determine the members that make up your groups and what roles they are assigned.
You can also edit groups after they are created or added. As your Organization expands and changes, add or remove members from your groups.
There are two types of groups available in Tanzu Platform cloud services – custom groups and enterprise groups. Custom groups can be shared with other Organizations. Enterprise groups can be nested in custom groups.
Custom Groups
You create custom groups by entering a name and a description, adding members, and then assigning roles for the Organization and its resources. For example, you can create a custom group and give it an Organization Member role to your Organization and a support role, and read-only access to specific services in the Organization. Custom groups can also include enterprise groups.
For custom groups, you can edit the name and description, add or remove members, and change the role assignment of the group.
Shared Groups
When you create a custom group, you can decide if you want to make it shared or not. As an Organization Owner, you associate the shared group with other Organizations which allows the members of the shared group to be assigned roles in the associated Organizations and get access to services without invitation from the Organization Owners.
Service roles assigned to shared groups are Organization-specific. The Organization Owners from the associated Organizations import the shared group and assign roles to the group within their own Organizations. To import a shared group, the Organization Owners must know the group name or ID.
Only the Organization Owner of the source Organization – the Organization in which the shared group was created – can modify the members of the group or remove it. Removing a shared group from an associated Organization does not delete it and it can be added back later. See how to manage shared groups.
Enterprise Groups
Enterprise groups are groups synced from your corporate domain. After you federate your corporate domain with Tanzu Platform cloud services, your enterprise groups are available for you to use in your Organization. See how to assign roles to enterprise groups.
For enterprise groups, you can only change the role assignment of the group. You cannot add or remove members from enterprise groups in Tanzu Platform cloud services, but you can assign them roles for the Organization and its resources, and add them to custom groups.
Nested Groups
Adding a group to another group is called nesting. Here’s what you need to know about nested groups:
As an Organization Owner, you can also edit groups after they are created or added. For custom groups, you can edit the name and description, add or remove members, and change the role assignment of the group. For enterprise groups, you can only change the role assignment of the group.
As an Organization Owner you create groups, manage the groups, and as your Organization expands and changes add or remove members from your groups.
NoteWhen you make changes to groups, it may take up to 30 minutes for the changes take effect in the Organization.
Parent topic:Identity & Access Management