Roles are great for granting and limiting permissions but what if there are 20 people on the team doing a few different jobs. Plus people are constantly rolling on and off of the team. This could be a nightmare to manage. Each team member would need to be assigned roles when they come onto the team and removed from roles when leaving the team. Enter groups to save the insanity.

While roles are assigned to people, people are assigned to groups. So, instead of having to assign multiple roles to people, those roles can be assigned to a group and then those people placed in groups. This would allow fewer assignments across the range of personnel.

One thing to keep in mind is that groups operate at the organization level and not at the project level. Let's walk through creating a group and then assigning a person to the group.

I've opened my browser to the IAM page in Google Cloud Platform. I'll select the Group menu button located at the bottom of the site menu to go to the group's page. Since groups operate at the organization level, I'll need to select an organization to continue. I'll create a group named starTeam. Clicking on the Create Group button opens the create group page.

The group must be given a name and an email address. The email address is used to identify the group and the group name is a friendly name. I'll enter starTeam for the group name. And I'll use starTeam again for the group email address, although this could differ from the group name.

The group description is optional but it could help to provide some details around the group. I'll just enter a description of, StarTeam is an advocate for the five points of success. Below the group description, we can add members to the group and assign a group role. At least one member must be added for the group to be created. I'll add myself to the group.

Group roles are member, manager, and owner and range from least privilege to most privilege. I'll add myself as the owner. I'll click Submit to create the group. We are returned to the groups page and can see our new group listed. This group can now be added to IAM and assigned roles. I'll click IAM from the side menu to open the IAM page.

Make sure that the organization is selected in the dropdown at the top. Clicking the Add button brings up the add members panel. I'll enter the email address of the group to the new members field. It's important to note that the group name will not work, so if the group email name differs from the display name then the name entered into the group email field when the group was created must be used.

Clicking the select a role dropdown displays all of the role options available at the organization level. I'll add a role of project viewer. Conditions based on time or resource could also be added but I'll leave this as is. Clicking Save will add the group to the organization's members list and close the add member panel.

Role changes for the group can be made once the group has been added by clicking on the Edit button. The group can also be removed by selecting the checkbox beside the group and then clicking the Remove button at the top. Clicking Confirm will remove the group from the organization.

Lectures

Course Introduction - Role Context and Defining Authoritative Roles - Defining IAM Roles - Incident and Request Management - Personnel Management - Course Conclusion