Security Groups
Azure AD-like groups for organizing users and assigning roles at scale. Users belong to groups, groups have roles. Effective permissions = direct roles + all group roles.
Create a Group
POST /manage/v1/acme/groups
{ "name": "engineering", "description": "Engineering team", "type": "security" }Types: security (role assignment), distribution (informational).
Manage Members
# Add member
POST /manage/v1/acme/groups/{groupId}/members
{ "user_id": "user-uuid" }
# List members
GET /manage/v1/acme/groups/{groupId}/members
# Remove member
DELETE /manage/v1/acme/groups/{groupId}/members/{userId}Assign Roles to Groups
# Assign role
POST /manage/v1/acme/groups/{groupId}/roles
{ "role_id": "role-uuid" }
# Remove role
DELETE /manage/v1/acme/groups/{groupId}/roles/{roleId}All members of the group inherit the role’s permissions.
Effective Permissions
User Alice
├── Direct role: "viewer" → [read:dashboard]
└── Group: "engineering"
└── Role: "developer" → [read:code, deploy:staging, read:dashboard]
Alice's effective permissions: [read:dashboard, read:code, deploy:staging]The /me endpoint and JWT include merged permissions from all sources.
Groups in JWT
{
"groups": ["engineering", "devops", "cardiology"],
"roles": ["viewer", "developer"],
"permissions": ["read:code", "deploy:staging", "read:dashboard"]
}Groups in eBPF Policies
Access policies can require group membership:
{
"method": "POST",
"path_pattern": "/api/deploy/*",
"required_groups": ["devops"],
"require_mfa": true
}Groups in AuthFI Connect
Map groups to cloud IAM roles:
POST /manage/v1/acme/cloud/mappings
{
"cloud_account_id": "aws-prod-uuid",
"authfi_group_id": "engineering-group-uuid",
"cloud_role": "arn:aws:iam::123:role/DevReadOnly"
}All members of “engineering” get AWS DevReadOnly access.
Group Sync from SSO
- SAML: Map the
groupsattribute to AuthFI groups - OIDC: Map the
groupsclaim to AuthFI groups - SCIM: Groups provisioned via SCIM are automatically synced
- LDAP: AD group membership maps to AuthFI groups