Atom

Groups

Object Groups define where access applies; Principal Groups collect identities that receive assignments.

Groups (/groups) come in two flavors, distinguished by Group type:

  • Object groups scope where access applies — for example, "every device at Plant A." Permission block scope modes like Direct objects in object group and Objects in subgroups (see Permission Blocks) target an object group.
  • Principal groups collect who receives access — for example, "the operators who should inherit the plant-operator role." Atom seeds one principal group, authenticated-users, for all authenticated human users.

Groups can nest: a group can have a Parent group, and Principal Group nesting extends inherited role assignments down to child groups and their members.

Groups table

Columns: Name, Type, Tenant, Parent, Description, Created, Updated.

Groups list

Create a group

Click + Create.

Create button highlighted on the groups list

Fields:

  • Name (required).
  • Description.
  • Group typeObject group or Principal group.
  • Tenant — required; select the tenant this group belongs to.

Create group dialog

Click Save.

Row actions

  • Inspect — view details and manage members.
  • Edit — change name, description, or parent.
  • Delete — remove the group.

Inspect and members

The inspect dialog shows ID, Name, Tenant, Description, Group type, Parent group, Child principal groups, and Created, followed by a Members section.

A new group has no members yet. Search the entity list below the members table and click Add next to any entity to add it.

Group inspect with no members

Once added, a member row shows its name, kind, status, and a Remove button.

Group inspect with a member added

How groups connect to access control

Groups themselves grant nothing — they're referenced by other records:

  • A permission block's Scope mode can target an object group directly (Object group itself), its direct contents (Direct objects in object group), or everything under it (Objects in subgroups), as well as child groups themselves (Direct child object groups, Descendant object groups).
  • Principal groups are the mechanism the Authorization debugger refers to when a decision explanation says a role was inherited "through principal group authenticated-users" — role-to-principal-group assignments in the current UI build are managed through the GraphQL API rather than a dedicated screen; see Direct Policies for the UI-native way to grant access to a specific entity today.

On this page