minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-28 19:42:10 +03:00
Code Activity
Files
rename
docs/source/reference/minio-mc-admin/mc-admin-group.rst
Ravind Kumar a6d554acdc DOCS-807, DOCS-846, Misc. Bug fixes (#861) 
Closes #807 
Closes #846 


---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
2023-05-23 17:29:48 -04:00

9.6 KiB
Raw Permalink Blame History

mc admin group

minio

Table of Contents

mc admin group

Description

The mc admin group command manages groups on a MinIO deployment.

A group <minio-groups> is a collection of users <minio-users>. Each group can have one or more assigned policies <minio-policy> that explicitly list the actions and resources to which group members are allowed or denied access. Groups provide a simplified method for managing shared permissions among users with common access patterns and workloads.

Use mc admin on MinIO Deployments Only

Groups and Policy-Based Access Control

MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies <minio-policy> to a group. Users with membership in the group inherit the group's assigned policies. A user's total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.

Newly created groups have no policies by default. To configure a group's assigned policies, use the mc admin policy attach command.

For more information on MinIO users and groups, see minio-users and minio-groups. For more information on MinIO policies, see MinIO Policy Based Access Control <minio-policy>.

Deny overrides Allow

MinIO follows the IAM standard where a Deny rule overrides Allow rule on the same action or resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account <reference_policies_evaluation-logic.html#policy-eval-denyallow>.

Examples

Create a New Group

Use mc admin group add to create a new group to an S3-compatible host:

mc admin group add ALIAS GROUPNAME MEMBER [MEMBER...]
  • Replace ALIAS <mc admin group add TARGET> with the alias <mc alias> of the S3-compatible host.
  • Replace GROUPNAME <mc admin group add GROUPNAME> with the name of the group to create.
  • Replace MEMBER <mc admin group add MEMBERS> with at least one user <mc admin user> on the S3 host. Specify multiple members as a list: MEMBER1 MEMBER2 MEMBER3

List Available Groups

Use mc admin group ls to list list all groups on an S3-compatible host:

mc admin group ls ALIAS
  • Replace ALIAS <mc admin group ls TARGET> with the alias <mc alias> of the S3-compatible host.

View Group Details

Use mc admin group info to view detailed group information on an S3-compatible host:

mc admin group info ALIAS GROUPNAME
  • Replace ALIAS <mc admin group info TARGET> with the alias <mc alias> of the S3-compatible host.
  • Replace GROUPNAME <mc admin group info GROUPNAME> with the name of the group.

Remove a Group

Use mc admin group rm to remove a group from an S3-compatible host:

mc admin group rm ALIAS GROUPNAME
  • Replace ALIAS <mc admin group rm TARGET> with the alias <mc alias> of the S3-compatible host.
  • Replace GROUPNAME <mc admin group rm GROUPNAME> with the name of the group.

Disable a Group

Use mc admin group disable to disable a group on an S3-compatible host:

mc admin group disable ALIAS GROUPNAME
  • Replace ALIAS <mc admin group disable TARGET> with the alias <mc alias> of the S3-compatible host.
  • Replace GROUPNAME <mc admin group disable GROUPNAME> with the name of the group.

Enable a Group

Use mc admin group enable to enable a group on an S3-compatible host:

mc admin group enable ALIAS GROUPNAME
  • Replace ALIAS <mc admin group enable TARGET> with the alias <mc alias> of the S3-compatible host.
  • Replace GROUPNAME <mc admin group enable GROUPNAME> with the name of the group.

Quick Reference

mc admin group add TARGET GROUPNAME MEMBERS <mc admin group add>

Adds a user to a group on the MinIO deployment. Creates the group if it does not exist.

mc admin group info TARGET GROUPNAME <mc admin group info>

Returns detailed information for a group on the MinIO deployment.

mc admin group ls TARGET <mc admin group ls>

Returns a list of all groups on the MinIO deployment.

mc admin group rm TARGET GROUPNAME <mc admin group rm>

Removes a group on the MinIO deployment.

mc admin group enable TARGET GROUPNAME <mc admin group enable>

Enables a group on the MinIO deployment. Users can only inherit policies <minio-policy> assigned to an enabled group.

mc admin group disable TARGET GROUPNAME <mc admin group disable>

Disables a group on the MinIO deployment. Users cannot inherit policies <minio-policy> assigned to a disabled group.

Syntax

add

Adds an existing user to the group. The command creates the group if it does not exist. The command has the following syntax:

mc admin group add TARGET GROUPNAME MEMBERS

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command adds users to the new or existing group

GROUPNAME

The name of the group. The command creates the group if it does not already exist. Use mc admin group ls to review the existing groups on a deployment.

MEMBERS

The name of the user to add to the group.

The user must exist on the ~mc admin group add TARGET MinIO deployment. Use mc admin user ls to review the available users on the deployment.

info

Returns details for the group on the target deployment, such as all users <minio-users> with membership in the group and the assigned policies <minio-policy>. The command has the following syntax:

mc admin group info TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment from which to retrieve the group information.

GROUPNAME

The name of the group.

ls, list

List all groups on the target MinIO deployment. The command has the following syntax:

mc admin group ls TARGET

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment from which to retrieve groups.

rm, remove

Removes a group on the target MinIO deployment. Removing a group does not remove any users with membership in the group. Use mc admin user rm to remove users from a group.

The command has the following syntax:

mc admin group rm TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which to remove the group.

GROUPNAME

The name of the group to remove.

enable

Enables the group on the target MinIO deployment. Users can only inherit policies <minio-policy> from an enabled group. Groups are enabled on creation by default. The command has the following syntax:

mc admin group enable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which to enable the group.

GROUPNAME

The name of the group to enable.

disable

Disables the group on the target MinIO deployment. Users cannot inherit policies <minio-policy> from a disabled group. The command has the following syntax:

mc admin group disable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which to disable the group.

GROUPNAME

The name of the group to disable.