Manage user groups

What are user groups?

User groups can be used to help manage sets of users that should have the same access. Instead of separately assigning the same role to individual users, a user group can be created, assigned the desired roles, and then users added to the user group. This eases the toil of managing individual user permissions and can simplify access management. When a new role is needed, it can be added to the group once and all users' access will reflect the new role.

User groups can be assigned both account-level roles and namespace-level permissions.

One user can be assigned to many groups. In the event that a user's group memberships have multiple roles for the same resource, the user will have an effective role of the most permissive of the permissions. For example if Group A grants a read-only role to a namespace, but Group B grants a write role to a namespace then a user that belongs to both Group A and Group B would have the write role to the namespace.

Service accounts cannot be assigned to user groups.

Only users with the Account Owner or Global Admin account-level role can manage user groups.

How SCIM groups work with user groups

SCIM groups work similarly to user groups with respect to role assignment. Unlike a user group, the lifecycle of a SCIM group is fully managed by the SCIM integration which means:

1. SCIM groups cannot be created except through the SCIM integration
2. SCIM groups cannot be deleted except through the SCIM integration
3. SCIM group membership is managed through the SCIM integration

User groups and SCIM groups can be used simultaneously in a single Temporal Cloud account. One user may belong to multiple SCIM groups and to multiple user groups.

Using user group and SCIM groups together can be useful when the groups defined in the identity provider (IDP) don't map cleanly to the access you need to grant in Temporal Cloud. Instead of having to update the IDP (which is often sensitive and time-consuming), you can use Temporal Cloud user groups to manage access.

info

All user group administration requires an Account Owner or Global Admin account-level role.

How to create a user group in your Temporal Cloud account

Web UI

1. Navigate to the identities page
2. Click the Create Group button
3. Name the group
4. Assign an account-level role to the group (you can assign namespace-level permissions after the group is created)
5. Click Save

tcld

See the tcld user-group create command reference for details.

Terraform

See the Terraform provider documentation for details.

How to assign roles to a user group

Web UI

To edit the account role of a group:

1. Navigate to the identities page
2. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
3. Click Edit Group
4. Click the Account Role dropdown
5. Select a new account role
6. Click Save

To add namespace permissions to a group:

1. Navigate to the identities page
2. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
3. Click Edit Group
4. Click Add Namespaces
5. Under Grant Access to a Namespace, search for the namespace you’d like to add permissions for
6. Select the namespace
7. Click the pencil to edit the permissions for the selected namespace
8. Click Save

To edit or remove namespace permissions from a group:

1. Click Edit Group
2. Click the pencil on a permission to edit it, or the trash can to delete it
3. Click Save

tcld

See the tcld user-group set-access command reference for details.

Terraform

See the Terraform provider documentation for details.

How to manage users in a group

Web UI

To add users to the group:

1. Navigate to the identities page
2. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
3. Click Edit Group
4. Under Members, search for the user you’d like to add
5. Select the user
6. Click Save To remove a user from the group:
7. Click Edit Group
8. Under Members, click the X next to the user you’d like to remove
9. Click Save

tcld

See the tcld user-group add-users and the tcld user-group remove-users command reference for details.

Terraform

See the Terraform provider documentation for details.

Delete a user group

Web UI

1. Navigate to the identities page
2. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
3. Click the dropdown next to the edit button
4. Click Delete
5. Confirm by clicking Delete

tcld

See the tcld user-group delete command reference for details.

Terraform

See the Terraform provider documentation for details.