mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 09:57:31 +02:00
3fd278e16d
* new first steps docs * moved email config up to match Docker * first draft * moved sections and retitled some * more content, tweaks * dewis edits * added Dewi ideas, more content, tweaks * more content, green tips, other fixes * Optimised images with calibre/image-actions * Optimised images with calibre/image-actions * Optimised images with calibre/image-actions * conflicts? * dominic's eedits, more content * another fine Dominic edit * more dewi and dominic edits, links * a bunch of things Signed-off-by: Jens Langhammer <jens@goauthentik.io> * tweaks * thanks Teffen * new styles, more content * few more dominic edits, tweaks * formatting fights on tips * fix some alignments Signed-off-by: Jens Langhammer <jens@goauthentik.io> * changes from Jens * work on bindings docs that was needed for the first steps docs * links, more tweaks * more edits, more TODOs done * add mermaid diagram, more links, more content * fix sidebar, tweaks * tweak * more link fixing * fix heading size * more dewi and dominic edits * more dewi and dominic edits * teffen enhancements yay and more bindings rearchitecting * added note about stage bindings being the only type of binding that you can bind to yeehaw --------- Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
72 lines
3.6 KiB
Plaintext
72 lines
3.6 KiB
Plaintext
---
|
|
title: Manage groups
|
|
description: "Learn how to work with groups in authentik."
|
|
---
|
|
|
|
A group is a collection of users. Refer to the following sections to learn how to create and manage groups, assign users and roles to groups, and how [permissions](../access-control/manage_permissions.md) work on a group level.
|
|
|
|
## Create a group
|
|
|
|
To create a new group, follow these steps:
|
|
|
|
1. In the Admin interface, navigate to **Directory > Groups**.
|
|
2. Click **Create** at the top of the Groups page.
|
|
3. In the Create box, define the following:
|
|
- **Name** of the group
|
|
- Whether or not users in that group will all be **super-users** (means anyone in that group has all permissions on everything)
|
|
- Any **Parent** groups
|
|
- Select **Roles** to apply to this group
|
|
- Any custom attributes
|
|
4. Click **Create**.
|
|
|
|
:::info
|
|
To create a super-user, you need to add the user to a group that has super-user permissions. All members of that group are super-users.
|
|
:::
|
|
|
|
:::warning
|
|
Super-user permission is inherited by all descendant groups. Make sure you review every member of every descendant group to prevent accidentally granting super-user permission.
|
|
:::
|
|
|
|
## Modify a group
|
|
|
|
To edit the group's name, parent groups, whether the group grants superuser permissions, associated roles, and any custom attributes, click the Edit icon beside the role's name. Make the changes and then click **Update**.
|
|
|
|
Starting with authentik version 2025.2, the permission to change super-user status has been separated from the permission required to change the group. Now, the `Enable superuser status` and `Disable superuser status` permissions are explicitly required to enable and disable the super-user status.
|
|
|
|
To [add or remove users](../user/user_basic_operations.md#add-a-user-to-a-group) from the group, or to manage permissions assigned to the group, click on the name of the group to go to the group's detail page and then click on the **Permissions** tab.
|
|
|
|
## Delete a group
|
|
|
|
To delete a group, follow these steps:
|
|
|
|
1. In the Admin interface, navigate to **Directory > Groups**.
|
|
2. Select the checkbox beside the name of the group that you want to delete.
|
|
3. Click **Delete**.
|
|
|
|
## Assign a role to a group
|
|
|
|
You can assign a role to a group, and then all users in the group inherit the permissions assigned to that role. For instructions and more information, see [Assign a role to a group](../roles/manage_roles.md#assign-a-role-to-a-group).
|
|
|
|
:::info
|
|
Roles are inherited through group hierarchy. If a parent group has a role assigned, all child groups (and their users) automatically inherit that role's permissions. You can view both directly assigned and inherited roles on a group's detail page under the **Roles** tab.
|
|
:::
|
|
|
|
## Bind a group to an application
|
|
|
|
These bindings control which groups can access an application, and whether or not the application is visible in a group member's **My applications** page. If no bindings for an application are defined, this means that all users and groups can access the application.
|
|
|
|
For instructions refer to [Manage applications](../../add-secure-apps/applications/manage_apps.mdx#bind-a-user-or-group-to-an-application).
|
|
|
|
## Delegating group member management
|
|
|
|
To give a specific role or user the ability to manage group members, the following permissions need to be granted on the matching group object:
|
|
|
|
- Can view group
|
|
- Can add user to group
|
|
- Can remove user from group
|
|
- Can access admin interface (for managing a group's user within the authentik Admin interface)
|
|
|
|
In addition, the permission "Can view User" needs to be assigned, either globally or on specific users that should be manageable.
|
|
|
|
These permissions can be assigned to a [Role](../roles/index.md).
|