User Groups is a paid feature.

If you’re using Infisical Cloud, then it is available under the Enterprise Tier. If you’re self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.

Concept

A (user) group is a collection of users that you can create in an Infisical organization to more efficiently manage permissions and access control for multiple users together. For example, you can have a group called Developers with the Developer role containing all the developers in your organization.

User groups have the following properties:

  • If a group is added to a project under specific role(s), all users in the group will be provisioned access to the project with the role(s). Conversely, if a group is removed from a project, all users in the group will lose access to the project.
  • If a user is added to a group, they will inherit the access control properties of the group including access to project(s) under the role(s) assigned to the group. Conversely, if a user is removed from a group, they will lose access to project(s) that the group has access to.
  • If a user was previously added to a project under a role and is later added to a group that has access to the same project under a different role, then the user will now have access to the project under the composite permissions of the two roles. If the group is subsequently removed from the project, the user will not lose access to the project as they were previously added to the project separately.
  • A user can be part of multiple groups. If a user is part of multiple groups, they will inherit the composite permissions of all the groups that they are part of.

Workflow

In the following steps, we explore how to create and use user groups to provision user access to projects in Infisical.

1

Creating a group

To create a group, head to your Organization Settings > Access Control > Groups and press Create group.

When creating a group, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.

Now input a few details for your new group. Here’s some guidance for each field:

  • Name (required): A friendly name for the group like Engineering.
  • Slug (required): A unique identifier for the group like engineering.
  • Role (required): A role from the Organization Roles tab for the group to assume. The organization role assigned will determine what organization level resources this group can have access to.
2

Adding users to the group

Next, you’ll want to assign users to the group. To do this, press on the users icon on the group and start assigning users to the group.

In this example, we’re assigning Alan Turing and Ada Lovelace to the group Engineering.

3

Adding the group to a project

To enable the group to access project-level resources such as secrets within a specific project, you should add it to that project.

To do this, head over to the project you want to add the group to and go to Project Settings > Access Control > Groups and press Add group.

Next, select the group you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this group can have access to.

That’s it!

The users of the group now have access to the project under the role you assigned to the group.