Groups
Groups let you grant permissions to a set of users and service principals. This is useful for sharing permissions across teams that data objects and resources in a Onehouse account.
What are groups?
A group is a named collection of users and service principals inside your Onehouse Account. Each group can be assigned the same permissions you already use for individual users.
Groups exist at the account level, and can be granted permissions for the account and its projects.
How do users inherit permissions from groups?
A user receives the highest privilege granted either directly to the user or indirectly via any group they belong to.
Example: If Alice is a Cluster Viewer individually but belongs to a Cluster Editor group, she can edit.
Group types
| Type | Created by | Editable? | Example use-case |
|---|---|---|---|
| Account | Account Admin | Yes | Groups created by a team lead |
| System | Onehouse | No | Built-in groups like Account Members |
| External | Identity Provider via SCIM identity sync | No | Mirror your Microsoft Entra or Okta groups |
Group roles
Users may have the following roles on a group:
- Group Member: View-only access to the group. Inherits any permissions assigned to the group
- Group Manager: Can edit the group (change name or editing members), delete the group, and remove roles from the group
See the permissions docs for full details on group permissions.
Create a group
To create a group, you must be an account admin.
- Open your account console.
- Navigate to Settings > User Management.
- Open the Groups tab and create a group.
Invite members to a group
- Open your group in the account console.
- Click the 'Grant Access' button.
- Add users or service principals.
Grant permissions to a group
You can add permissions to a group in the same way that you would to a user.
- First, a project admin must add the group to a project.
- Open the project.
- Open Settings → Users & Access.
- Click 'invite user' and add the group.
- Assign roles and privileges to the group within the project.
After you grant permissions to a group, all group members and managers will inherit those permissions.
Additional usage notes
- Groups cannot be assigned the account admin role.
- Users with management access to a resource (e.g., a Cluster) can grant roles to groups for that resource, even if they are not part of the group themselves.