Manage permissions with groups
Use groups to manage access to your organization's applications and simplify user administration.
Overview
A group can grant members:
- A global role for Polaris (organization administrator or organization application manager).
- Access to one or more applications, with an application-level role for each (application administrator, application contributor, or application observer).
Multiple applications and users can be assigned to each group. Each user or application can be a member of multiple groups.
Group management permissions are tightly controlled.
- Only organization administrators can create groups, add users to groups, and assign organization-level roles to groups.
- Organization administrators, organization application managers, and application administrators can grant groups access to applications, and assign application-level roles to groups.
Note: For more information on roles and permissions, see Roles and permissions.
Permission overlap
When more than one group grants a user different levels of access to Polaris or an application, the more permissive role is used. For example:
- If one group grants a user a global role, and another group grants them an application-level role, the global role is used.
- If one group grants a user application administrator access to an application, and a different group grants them contributor access to the same application, the application administrator role is used.
Important: Polaris users inherit permissions from group membership, application membership, and the global role assigned to their account (if set). This means you can assign a global role to each user directly and manage application members and application-level roles without groups.
Manage group membership with your identity provider
Note: See Set up single sign-on (with SAML 2.0) and Manage Polaris groups through your identity provider for more information.
Audit logs
Events appear on the Audit Logs page when:
- A group is created, updated, or deleted.
- Users are added to or removed from a group.
- Applications are added to or removed from a group.
Create a group
Note: Only organization administrators can create groups.
Edit a group
Note: Only organization administrators can edit groups.
Delete a group
Note: Only organization administrators can delete groups.
Find the groups you belong to
A list of groups you belong to appears under Group Membership.
Add multiple groups to an application
Note: Organization administrators, organization application managers, and application administrators can add new groups to an application. For more information, see Add users to an application.