Identity Cloud


Groups are an important tool for identity management. They greatly simplify managing collections of users, applying permissions and authorizations to all members of a group, rather than to individual users. These groups might follow an organization structure, but might instead be based on the needs and privileges for an otherwise arbitrary set of users.

The managed group object is a default managed object type and is defined like any other managed object type. Managed groups simplify management by using common groups across the entire platform.

Users are made members of groups through the relationships mechanism. You should understand how relationships work before you read about Identity Cloud groups.

A group can be assigned to a user manually, as a static value of the user’s groups attribute, or dynamically, as a result of a condition or script. For example, a user might be assigned to a group such as sales dynamically, if that user is in the sales organization.

A user’s groups attribute takes an array of references as a value, where the references point to the managed groups. For example, if user bjensen has been assigned to two groups (employees and supervisors), the value of bjensen’s groups attribute would look something like the following:

"groups": realm-name_group/employees",
    "_refResourceCollection": "managed/realm-name_group",
    "_refResourceId": "employees",
    "_refProperties": {
      "_id": "38a23ddc-1345-48d6-b753-ad97f472a90e",
      "_rev": "ae6e63c4-94f5-463b-8bef-7a359b8e3004-1692"
      "_ref": "managed/realm-name_group/supervisors",
      "_refResourceCollection": "managed/realm-name_group",
      "_refResourceId": "supervisors",
      "_refProperties": {
        "_id": "0fabd212-f0c2-4d91-91f2-2b211bb58e89",
        "_rev": "ae6e63c4-94f5-463b-8bef-7a359b8e3004-1974"

The _refResourceCollection is the container that holds the group. The _refResourceId is the ID of the group. The _ref property is a resource path that is derived from the _refResourceCollection and the URL-encoded _refResourceId. _refProperties provides more information about the relationship.

In most cases, Identity Cloud uses UUIDs as the _id for managed objects. Managed groups are an exception: the _id and name properties should match.

While managed groups appear in the AM admin UI and can serve the same function as a static group created in AM, they are not the same. A managed group supports dynamic, conditional membership, and can be leveraged in other parts of the platform. We recommend using managed objects for all data management in the platform.

Enable Groups

If the groups feature is not already enabled on your tenant, you can install it using the Feature enablement endpoint.

If you were previously using AM static groups, contact ForgeRock for guidance on how to migrate group membership to managed groups.

Copyright © 2010-2023 ForgeRock, all rights reserved.