Welcome to the upcoming version of the MinIO Documentation! The content of these pages may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

Group Management

This page documents procedures for managing groups on a MinIO Tenant. Each group can have one attached IAM policy, where all users with membership in that group inherit that policy. Groups support more simplified management of user permissions on the MinIO Tenant.

Create New MinIO Group

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to create a new group on the MinIO Tenant.

1) Open the Group Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Groups in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Groups navigation item.

MinIO Console Group Management View

The Group interface shows all existing MinIO groups. Click the + Create Group button to open the Create Group modal.

2) Create a New Group

The Create Group modal displays the following inputs for configuring the new group:

MinIO Console Group Create Modal

Group Name

The name of the group. The specified name must be unique among all groups on the MinIO Tenant.

Assign Users

The MinIO Tenant users with membership in the group. Toggle the Select checkbox next to each user to assign to the group. A highlighted or “active” checkbox indicates the user has membership in the group. An empty or “inactive” checkbox indicates the user does not have membership in the group.

You can filter users using the Filter Users input.

Click Save to save the new group.

3) Assign Policy to the New Group

From the Groups interface, click on the flag icon for the newly created group to open the Set Policies modal:

MinIO Console Group Select Policies

The Set Policies modal displays information on the group’s currently attached policy:

MinIO Console Group Set Policies

A group can have at most one attached policy. From the Assign Policies section, toggle the Select radio button next to the policy to attach to the group:

You can filter policies using the Filter by Policy input.

Click Save to save the group with the newly attached policy. All users with membership in that group inherit the attached policy in addition to the user’s own explicitly assigned policy and other group-attached policies.

For complete documentation on creating a new IAM policy to attach to a MinIO group, see Create New Policy.

Change Attached Group Policy

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO uses Policy-Based Access Control (PBAC) to determine which actions and resources to which a MinIO user has access. The user also inherits the policies attached to each group in which it has membership. The total set of permissions for a given user are both its explicitly assigned and inherited policies.

For complete documentation on creating a new IAM policy to attach to a MinIO group, see Create New Policy.

The following procedure uses the MinIO Console to manage the IAM policy attached to a group in the MinIO Tenant.

1) Open the Group Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Groups in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Groups navigation item.

MinIO Console Group Management View

2) Change Policy Attached to Group

From the Groups interface, click on the flag icon for the group to open the Set Policies modal:

MinIO Console Group Select Policies

A group can have at most one attached policy. From the Assign Policies section, toggle the Select radio button next to the policy to attach to the group:

MinIO Console Group Set Policies

You can filter policies using the Filter by Policy input.

Click Save to save the group with the newly attached policy. All users with membership in that group inherit the attached policy in addition to the user’s own explicitly assigned policy and other group-attached policies.

Change User Membership in Group

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO uses Policy-Based Access Control (PBAC) to determine which actions and resources to which a MinIO user has access. The user also inherits the policies attached to each group in which it has membership. The total set of permissions for a given user are both its explicitly assigned and inherited policies.

The following procedure uses the MinIO Console to change user membership in a group.

1) Open the Group Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Groups in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Groups navigation item.

MinIO Console Group Management View

2) Change Group Membership

Click the row of the group for which you want to manage MinIO Tenant user membership to open the Edit Group modal:

MinIO Console Group Management Select Row

The Edit Group modal displays inputs for adding or removing MinIO Tenant users from the group:

MinIO Console Group Management Edit View

From the Edit Members section, toggle the Select checkbox for each user to add or remove from the group. A highlighted or “active” checkbox indicates the user has membership in the group. An empty or “inactive” checkbox indicates the user does not have membership in the group.

You can filter users using the Filter by Users input.

Click Save to save the membership changes. All users with membership in that group inherit the attached policy in addition to the user’s own explicitly assigned policy and other group-attached policies.

Enable or Disable a Group

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to enable or disable a group on the MinIO Tenant. Users cannot inherit policies attached to a disabled group.

1) Open the Group Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Groups in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Groups navigation item.

MinIO Console Group Management View

The Group interface shows all existing MinIO groups.

2) Select the Group to Enable or Disable

Click the row for the Group to open the Edit Group modal:

MinIO Console Group Management Select Row

3) Enable or Disable the Group

The toggle in the top-right hand corner of the Edit Group modal displays the current state of the MinIO group.

MinIO Console Group Management Edit Group

If the toggle displays Enabled, the group is currently enabled. If the toggle displays Disabled, the group is currently disabled. Click the toggle to change the state of the group.

Click Save to save the changes. MinIO ignores disabled groups for the purpose of authorizing a user.

Delete a Group

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to delete a group on the MinIO Tenant. Users with membership in that group can no longer inherit the policy attached to that group.

1) Open the Group Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Groups in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Groups navigation item.

MinIO Console Group Management View

2) Delete the Group

To delete a group, click the Trash icon to open the Delete User modal:

MinIO Console Group Select Trash Icon

You must confirm group deletion by clicking Delete from the modal.

MinIO Console Group Management Delete User