Groups
Overview
A group is a membership collection that can contain users and service accounts. It is one of the principal types of an org.
Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user.
Membership in a group for a service account can only be assigned directly.
Groups can be used by policies to grant access permissions to the group members.
Create a Group
Refer to the Create a Group guide for additional details.
Built-in Groups
Each org has the following built-in groups:
| Group Name | Description |
|---|---|
| superusers | Built-in group for all administrators of the organization |
| viewers | Built-in group for read-only access |
Group Notes
Groups can contain an unlimited amount of users or service accounts.
Group membership can be assigned directly or dynamically (using a query based on any tags that are labeled on a user). Service Accounts can only be assigned directly.
For example, a query can be created to dynamically assign all the users that log in using microsoft.com by using the built-in tag
key firebase/sign_in_provider Equals microsoft.com.
Query Rules
To dynamically assign users to a group, a query can be defined which consists of the following:
- One or more tags (key/value pairs) using one of the operators:
Equals/Exists/Not Exists - One of the following query filters:
Permissions
The permissions below are used to define policies together with one or more of the four principal types:
| Permission | Description | Implies |
|---|---|---|
| create | Create new groups | |
| delete | Delete a group | |
| edit | Modify existing groups | view |
| manage | Full access | create, delete, edit, manage, view |
| view | Read-only view |
Access Report
Displays the permissions granted to principals for the group.
CLI
To view the CLI documentation for groups, click here.
Schema
To view the schema documentation for groups, click here.