Groups

Groups allow Administrators to organize users and manage role assignments collectively. Instead of assigning roles to individual users, you can assign roles to a group and all members automatically inherit those roles.

Required role: Administrator or SuperUser

Accessing Groups

Navigate to Administration > Groups (or /_admin/groups).

The groups list shows all groups in the current tenant with their member count and assigned roles.

Creating a Group

1. Click Create Group.
2. Enter a Name for the group (e.g., “Release Managers”, “QA Team”, “Operations”).
3. Optionally add a Description to explain the group’s purpose.
4. Click Create.

Managing Group Members

1. Click on the group to open its detail page.
2. In the Members section, click Add Member.
3. Search for and select users to add.
4. Click Add to confirm.

Member Types

Groups can contain several types of members:

Member Type	Description
Individual users	RAMP Internal users or provisioned external users within the tenant
External IDP groups	Groups from LDAP or OIDC providers (when directory browsing is enabled)
Nested groups	Other RAMP groups, creating a hierarchy

Removing Members

1. Navigate to the group’s detail page.
2. Click the remove button next to the member you want to remove.
3. Confirm the removal.

Note

Removing a user from a group revokes any roles they inherited through that group membership. This takes effect on the user’s next token refresh.

Assigning Roles to Groups

Roles assigned to a group are inherited by all group members. This is the most efficient way to manage role assignments for teams.

1. Click on the group to open its detail page.
2. Open the Roles tab.
3. Click Add Role.
4. Select the desired application role from the dropdown.
5. Click Assign.

Role Inheritance

Role inheritance flows through the group hierarchy:

• Direct membership — a user who is a direct member of a group inherits all roles assigned to that group.
• Nested group membership — if Group A is a member of Group B, members of Group A inherit roles from both Group A and Group B.
• External IDP group mapping — when an external IDP group is mapped to a RAMP group, members of the external group inherit the RAMP group’s roles. See IDP Group Mappings.

Tip

Use nested groups to model organizational hierarchies. For example, create a “Department Leads” group that is a member of a “Template Viewers” group. All department leads automatically get template viewing access, plus any additional roles assigned to the leads group.

Effective Permissions

When a user has roles from multiple sources (direct assignment, group membership, global roles), the most permissive role applies. Roles from different sources are combined, never restricted.

Example:

• User has GlobalTemplateViewer (via personal role assignment)
• User is in “Release Managers” group with GlobalInstanceHead role
• User is in “QA Team” group with GlobalTemplateApprover role
• Result: User can view all templates, approve all template versions, and has full control of all instances

Editing a Group

1. Click on the group in the groups list.
2. Modify the group name or description.
3. Click Save.

Deleting a Group

1. Click on the group in the groups list.
2. Click Delete.
3. Confirm the deletion.

Caution

Deleting a group removes all role inheritance for its members. Users who had roles only through the deleted group will lose those roles. Verify the impact before deleting.

Common Group Patterns

By Role

Create groups that map to organizational roles:

Group Name	Assigned Roles	Purpose
Administrators	Administrator	IT staff who manage RAMP
Template Authors	TemplateCreator, GlobalTemplateEditor	Engineers who build templates
Instance Operators	GlobalInstanceExecutor	Staff who execute instances
Observers	GlobalTemplateViewer, GlobalInstanceObserver	Stakeholders with read-only access
Release Managers	GlobalInstanceHead	Managers who control instance lifecycle
QA Approvers	GlobalTemplateApprover	QA staff who approve template versions

By Department

Create groups that reflect organizational structure:

Group Name	Assigned Roles	Purpose
Engineering	GlobalTemplateEditor, GlobalInstanceExecutor	Engineering team members
Operations	GlobalInstanceHead	Operations team with full instance control
Management	GlobalTemplateViewer, GlobalInstanceObserver	Management with read-only oversight

Best Practices

• Name groups descriptively — use names that clearly indicate the group’s purpose or the team it represents.
• Document group roles — add descriptions to groups explaining what roles they carry and why.
• Prefer groups over individual assignments — group-based role management is easier to maintain and audit.
• Review regularly — periodically review group memberships and remove users who no longer belong.
• Avoid deep nesting — while nested groups are supported, deeply nested hierarchies can be difficult to understand and troubleshoot.

Related topics

Members Manage tenant members, invite users, and assign application-level roles

Roles Understand the RAMP role system, application roles, entity roles, and permission hierarchy