Proto: group.proto




A Group can be use to define access levels for a set of users.

Field Type Label Description
displayName string A human-readable name for the group to display to users.
description string Description for the group.
userSelector User CRs which match this selector will be considered part of this Group and have access to the resources selected by this Group.
oidcGroup Users belonging to any of the specified OIDC groups will have access to the resources selected by this Group.
Users are associated with this group using an OIDC Identity Provider. Utilizing this functionality requires that any Portals accessible to this Group are configured with OIDC Auth.
accessLevel The Group's access level. Users in this Group will be granted access to these resources.


Config for mapping authenticated OIDC users to a group.

When a User authenticates their identity to a Portal using an OIDC token, we retrieve the groups to which the user belongs from a claim specified in the portal configuration ([portal].spec.oidcAuth.groupClaimKey).

The claim should consist of a string array of group names, provided in JSON format.

For each group name listed in the claim, we find all the Group custom resources that select that group name. A group name is considered to be selected if it is equal to at least one of the groupNames specified by the OidcGroup.

The Group(s) to which the user belongs will be the union of all those matching Groups.

Field Type Label Description
groupName string OIDC group name associated with this Group. Deprecated: Use groupNames (which supports multiple group names) instead.
groupNames []string repeated List of OIDC group names associated with this Group.


The current status of the Group. It contains a list of all the users currently selected by the group, as well as all the resources currently selected by the group.

Field Type Label Description
observedGeneration int64 The observed generation of the Group. When this matches the Group's metadata.generation, it indicates the status is up-to-date.
state The current state of the user.
reason string A human-readable string explaining the error, if any.
users [] repeated The User objects that are currently considered to be a part of this Group. Does not include Users connected via OIDC.
hasAccessTo Represents set of resources that members of the group have access to.