Managing Groups

Groups let you assign the same entitlements and IAM roles to multiple users. As an admin user, you can manage groups using the Admin Console, the Groups API, the SCIM API, or a SCIM-enabled Identity Provider like Okta or Azure Active Directory. This topic discusses group management using the Admin Console.

../../_images/groups-tab-aws.png

Using the Admin Console, you can:

  • Add groups.
  • Add users to groups and remove them.
  • Add groups to other groups and remove them.
  • Grant and revoke the ability to create clusters for all group members (if Cluster Access Control has been enabled for the workspace).
  • Add and remove IAM roles for all group members.
  • Manage administrator rights by adding users to the admins group or removing them. (You can also assign a user to the admins group using the User management interface.)

Add a group

  1. Go to the Admin Console and click the Groups tab.

  2. Click + Create Group.

  3. Enter a group name and click Confirm.

    Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add users and child groups to a group

Note

You cannot add a child group to the admins group.

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, click +Add users or groups.
  4. On the Add users or groups dialog, click the down arrow to display a drop-down list of users and groups, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Confirm.

Add entitlements to a group

  1. Go to the Admin Console and click the Groups tab.

  2. Select the group you want to update.

  3. On the Entitlements tab, select the entitlement you want to grant to all users in the group.

    Allow cluster creation is the only entitlement available to grant, although others will be added in the future. When you grant this entitlement to users, they are allowed to create and launch new clusters. You can restrict access to existing clusters using cluster-level permissions.

  4. On the confirmation dialog, click Confirm.

Add IAM roles to a group

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the IAM Roles tab, click +Add IAM roles to group.
  4. On the Add Roles dialog, click the down arrow to display a drop-down list of IAM roles, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Add.

View parent groups

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, view the parent groups for your group.

Remove a user or child group

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, find the user or group you want to remove and click the X in the Actions column.
  4. Click Remove Member to confirm.

The user or child group loses all entitlements, IAM roles, and child group memberships granted by virtue of membership in this group. Be aware, however, that they may retain some or all of those IAM roles and entitlements by virtue of membership in other groups or user-level grants.

Remove an entitlement

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Entitlements tab, clear the checkbox for the entitlement you want to revoke for all users in the group.
  4. On the confirmation dialog, click Remove.

Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.

Remove an IAM role

  1. Go to the Admin Console and click Groups tab.
  2. Select the group you want to update.
  3. On the IAM Roles tab, find the IAM role you want to remove and click the X in the Actions column.
  4. On the confirmation dialog, click Delete.

Group members lose the IAM role, unless they have it as an individual user or through another group membership.

Remove a group from its parent group

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, find the parent group you want to secede from and click the X in the Actions column.
  4. On the confirmation dialog, click Remove parent.

All entitlements and IAM roles assigned to the parent group are removed from the members of the group. Be aware, however, that they may retain those entitlements and IAM roles by virtue of membership in other groups or user-level grants.