Overview

There are a few reasons you may want to use a FusionAuth Group.

The first use may be to simply logically group one or more users within a Tenant. Once a User is a member of a Group they may be identified as a member of the Group and retrieved using the User Search API and the Elasticsearch search engine.

The second reason you may wish to use a FusionAuth group is to manage Application Role assignment. A Group may be assigned roles from one or more Applications, a member of this Group will be dynamically assigned these roles if they have a registration for the Application.

Core Concepts Relationships

Below is a visual reminder of the relationships between FusionAuth’s primary core concepts.

Belongs To
Belongs To
Belongs To
Assigned
Defined In
Is In
Joins
Joins
Assigned
User
Tenant
Application
Group
Role
Registration

Examples

You could create a Group called Admin, and assign this group the admin role from each of your applications.

A more detailed example:

Suppose Application A has two roles: admin and member. Application B has one role superadmin.

User 1 has a registration in Application A and user 2 has a registration in Application B.

There’s a group Admin Group which has the application roles of admin from Application A and superadmin from application B.

If you add User 1 to Admin group they will receive the role admin in Application A, but not superadmin (because they aren’t registered in Application B).

Admin UI

Create a Group

Click on Settings -> Groups from the main menu to add a Group. At a minimum, you must provide a Name for the Group and the Tenant it belongs to.

You may apply Application roles from the various Applications in this Group’s Tenant.

Create a Group

Form Fields

Id

The Group Id.

Namerequired

The Group name.

Tenantrequired

The Tenant the Group will be scoped to.

Application Roles

The selected application roles will be assumed by members of this Group.