Groups & Roles

The Groups & Roles page at /iam/groups-roles uses a two-panel layout to manage both group membership and role definitions from a single screen. Groups aggregate users under a shared role; roles define the permission sets that govern what users can do.

Groups Panel

The left panel lists all groups in the tenant with key metrics at a glance:

Create / Edit Group

The "New Group" button and the edit icon on each group open a modal with:

• Name — Required. Unique within the tenant.
• Description — Optional text describing the group's purpose.
• Role — Required dropdown. Determines the permission set for all group members.
• Members — Multi-select user picker. Changes take effect immediately.

Roles Panel

The right panel displays both system roles (pre-built, read-only) and custom roles (created by your team). Each role card shows:

• Role name and type badge (System / Custom)
• List of permission strings (e.g., cost_analysis:read, alerts:write)
• Count of users and groups assigned to this role

Creating a Custom Role

Click "New Role" to open the role builder. Select permissions from the checklist grouped by module:

Cloning a Role

The "Clone" action on any role (including system roles) creates a new custom role with the same permission set. This is the recommended way to create roles that are minor variations of a system role.

Permission Model Summary

A user's effective permissions are the union of the most permissive level across all sources:

• User-level assignment (highest priority)
• All group memberships (union of group role permissions)
• Directly assigned role
• Global tenant defaults (lowest priority)