There are a few reasons you may want to use a FusionAuth Group.

The first use may be to simply logically group one or more users within a Tenant. Once a User is a member of a Group they may be identified as a member of the Group and retrieved using the User Search API and the Elasticsearch search engine.

The second reason you may wish to use a FusionAuth group is to manage Application Role assignment. A Group may be assigned roles from one or more Applications, a member of this Group will be dynamically assigned these roles if they have a registration for the Application.

Core Concepts Relationships

Below is a visual reminder of the relationships between FusionAuth’s primary core concepts.



You could create a Group called Admin, and assign this group the admin role from each of your applications.

A more detailed example:

Suppose Application A has two roles: admin and member. Application B has one role superadmin.

User 1 has a registration in Application A and user 2 has a registration in Application B.

There’s a group Admin Group which has the application roles of admin from Application A and superadmin from application B.

If you add User 1 to Admin group they will receive the role admin in Application A, but not superadmin (because they aren’t registered in Application B).

Admin UI

Create a Group

Click on Settings -> Groups from the main menu to add a Group. At a minimum, you must provide a Name for the Group and the Tenant it belongs to.

You may apply Application roles from the various Applications in this Group’s Tenant.

Create a Group

Form Fields


The Group Id.


The Group name.


The Tenant the Group will be scoped to.

Application Rolesoptional

The selected application roles will be assumed by members of this Group.