Overview

User Groups

A user group is a collection of IAM users. User groups allow you to assign permissions to users in the groups, making it easier to manage the permissions for those users.

For example, each account has a preset admin user group by default. The admin user group has full permissions for cloud services and resources. Any IAM user in the admin user group automatically has the admin group permissions. If a new user joins your organization and requires the admin permissions, you can grant the permissions by adding the user to the admin user group. If a user changes the job responsibilities and no longer needs the admin permissions, you can simply remove the user from the admin group, instead of changing the user's permissions.

To follow the principal of least privilege (PoLP), you are advised to create user groups and grant only the permissions needed for specific tasks to the user groups, rather than directly adding IAM users to the admin group.

Characteristics of User Groups

• A user group can contain multiple IAM users, and an IAM user can be added to multiple user groups.
• User groups cannot be nested. They can only contain IAM users, not other user groups.
• By default, each account has only one preset admin user group. You need to create different user groups and assign different permissions to the groups.
• The number and size of IAM resources in an account are limited. For example, the number of user groups in an account and the number of IAM users that can be added to a user group are limited. For details, see Notes and Constraints.