Skip to main content

Groups

Create, modify, and delete groups in AuthN

You can create groups and add users to those groups to reduce authorization service lookups by governing access at the authentication layer. These groups can represent various types of role-based access control (RBAC), such as teams, or regions (such as North America), or other types of access based on a user's attributes.

Implementing groups into your authentication is a drop-in replacement for industry standard RBAC systems but offers additional flexibility with the included integration with AuthZ policies. This enables leveraging Pangea AuthZ to layer ReBAC or ABAC systems on top of your RBAC system for increased granularity and control.

note

This page assumes that you have AUTHN_TOKEN added to your environment. If you have not done that, you can replace it in the cURL requests below with your actual AuthN token data, which should look similar to pts_abcdefghijklmnopqrstuvwxyz123456.

Enable AuthZ Group Permissions enforcement

Using AuthN Groups requires enforcement of AuthZ Group Permissions in the AuthZ service. This is enabled by default when adding the AuthZ service.

If it is not enabled for your project, there are two ways to do this, in the AuthN Groups page, or in AuthZ General settings.

Enable Group Permissions in AuthN Groups page

To enable Group Permissions in the AuthN Groups page:

  1. In the AuthN service page, click Groups in the left-hand navigation menu.
  2. Enforce Group Permissions displays. Click Enable Group Permissions.
  3. The page navigates to the AuthN Groups and you can set up your first group.

Enable Group Permissions in AuthZ General settings

  1. In the AuthZ service page, click General in the left-hand navigation menu.
  2. The AuthZ Settings menu displays. Click Enforce Group Permissions.
  3. Toggle the switch to Enabled.
  4. Click Save.

You can now navigate to the Groups page of AuthN and set up your first group.

Create a group

To create a group in the Pangea User Console:

  1. In the Pangea Console , click AuthN.
  2. In the left navigation panel, click Groups.
  3. Click the + Group button.
  4. Fill in the information for the group:
    • Name
    • Description
  5. Click Save.

To create a group using cURL:

Create an AuthN group
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/group/create'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{"name":"<group-name>", "type":"manual"}'

Add users to the group

To add users in the Pangea User Console:

  1. In the Pangea Console , click AuthN.
  2. In the left navigation panel, click Groups.
  3. Click on the group name.
  4. Click the Users tab that displays in the right-hand side of the screen.
  5. Type the username of the user to add to the group, and then click Add.

You can also add users to one or multiple groups at a time using cURL requests:

Add users to an AuthN group
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/user/group/assign'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{"id":"<user-id>", "group_ids": ["<group-id>"] }'

Remove users from a group

To remove users in the Pangea User Console:

  1. In the Pangea Console , click AuthN.
  2. In the left navigation panel, click Groups.
  3. Click on the group name.
  4. Click the Users tab that displays in the right-hand side of the screen.
  5. Click the three-dot menu button beside the email address of the user to remove from the group, and then click Remove.

You can also remove users from a group using cURL requests by replacing the <user-id> and <group-id> with the relevant data:

Remove users from a group
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/user/group/remove'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{"id":"<user-id>", "group_id":"<group-id>"}'

View group details

To view the details of a group (such as the group's list of users), click on desired group name in the group list. This displays the following information:

  • Group ID
  • Name
  • Description
  • Created at date
  • Updated at date

You can view the list of users in the group by clicking the Users tab.

To complete the same task using cURL requests, you can fetch the Group details by completing the following command, replacing <group-id> with the desired Group ID:

View details of an AuthN group
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/group/get'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{"id":"<group-id>"}'

Delete a group

To delete a group in the Pangea User Console:

  1. Click Groups on the left-hand navigation menu.
  2. Click on the group to modify.
  3. Click the three-dot menu button in the box that displays on the right-hand side of the page.
  4. Click Delete.
  5. A dialog will appear requesting confirmation. Click Delete to confirm deleting the group.

You can also delete a group using cURL. You will need to copy the group ID from the Groups page of the Pangea User console, or you can use a cURL request to list your groups:

Get a list of groups
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/group/list'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{}'

Then, replace <group ID> in the command below with the desired group ID to delete the group:

Delete an AuthN group
curl -sSLX POST 'https://authn.aws.pangea.cloud/v2/group/delete'
-H "Authorization: Bearer $AUTHN_TOKEN"
-H 'Content-Type: application/json'
-d '{"id":"<group-id>"}'

Was this article helpful?

Contact us