Group descriptions

This section describes the group definition, related properties, and RBAC.

Group properties

Groups are collections of resources. They are structured and have the following properties:

The group routes allow create, read, update, and delete operations on groups. See the swagger documentation for more details.

Static policies

For static groups, the policy field is treated as a list of modifications to perform. See the following example:

  [{"field": "uid", "equal": "ABCD_default_k8sPod_my-pod-1"}],
  [{"field": "uid", "equal": "ABCD_default_k8sPod_my-pod-2"}],
  [{"field": "uid", "not": true, "equal": "ABCD_default_k8sPod_my-pod-3"}],

In this policy, resources of which the uids are ABCD_default_k8sPod_my-pod-1 and ABCD_default_k8sPod_my-pod-2 are added to the group, and ABCD_default_k8sPod_my-pod-3 is removed from the group.

Note: Members are not added or removed dynamically. They are only added or removed at the time that the server processes the request. This processing is relatively quick, but might not occur immediately if the server is busy with other tasks.

Group RBAC

Both cluster administrators and account administrators have full access to groups. Team administrators and operators only have access to view the groups that their team is granted access to. Groups are a mechanism to grant certain roles access to certain resources and to have a Cloud Resource Name (CRN) in Identity and Access Management (IAM) that can be assigned to teams.

Table. Group Permissions
Role Create Modify Delete View
Cluster Administrator Yes Yes Yes Yes
Account Administrator Yes Yes Yes Yes
Team Administrator Yes Yes* Yes* Yes*
Operator No No No Yes*
Viewer No No No Yes*

Note: * means that access is limited to groups that the user's teams are assigned to.