This page documents procedures for managing groups on a MinIO Tenant.
Each group can have one attached IAM policy, where all users with membership
in that group inherit that policy. Groups support more simplified management
of user permissions on the MinIO Tenant.
The following procedure assumes use of a MinIO Console instance
deployed as part of the MinIO Tenant. Since Kubernetes restricts external
access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an
Ingress resource
configured to grant external access to the MinIO Tenant and Console.
The following procedure uses the MinIO Console to create a new group on the
MinIO Tenant.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Group Management Interface
Open the MinIO Console in your browser and log in with your credentials.
From the Console, click Groups in the left hand navigation. If
the Admin navigation group is collapsed, click on it to expand
the section and view the Groups navigation item.
The Group interface shows all existing MinIO groups.
Click the + Create Group button to open the
Create Group modal.
2) Create a New Group
The Create Group modal displays the following inputs for
configuring the new group:
Group Name
The name of the group. The specified name must be unique among all
groups on the MinIO Tenant.
Assign Users
The MinIO Tenant users with membership in the group. Toggle the
Select checkbox next to each user to assign to the group.
A highlighted or “active” checkbox indicates the user has membership in
the group. An empty or “inactive” checkbox indicates the user does not
have membership in the group.
You can filter users using the Filter Users input.
Click Save to save the new group.
3) Assign Policy to the New Group
From the Groups interface, click on the flag icon for
the newly created group to open the Set Policies modal:
The Set Policies modal displays information on the group’s
currently attached policy:
A group can have at most one attached policy. From the Assign
Policies section, toggle the Select radio button next to the policy
to attach to the group:
You can filter policies using the Filter by Policy input.
Click Save to save the group with the newly attached policy. All
users with membership in that group inherit the attached policy in addition to
the user’s own explicitly assigned policy and other group-attached policies.
For complete documentation on creating a new IAM policy to attach to a
MinIO group, see Create New Policy.
The following procedure assumes use of a MinIO Console instance
deployed as part of the MinIO Tenant. Since Kubernetes restricts external
access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an
Ingress resource
configured to grant external access to the MinIO Tenant and Console.
MinIO uses Policy-Based Access Control (PBAC) to determine which actions and
resources to which a MinIO user has access. The user also inherits
the policies attached to each group in which it has membership. The total
set of permissions for a given user are both its explicitly assigned and
inherited policies.
For complete documentation on creating a new IAM policy to attach to a
MinIO group, see Create New Policy.
The following procedure uses the MinIO Console to manage the IAM policy
attached to a group in the MinIO Tenant.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Group Management Interface
Open the MinIO Console in your browser and log in with your credentials.
From the Console, click Groups in the left hand navigation. If
the Admin navigation group is collapsed, click on it to expand
the section and view the Groups navigation item.
2) Change Policy Attached to Group
From the Groups interface, click on the flag icon for
the group to open the Set Policies modal:
A group can have at most one attached policy. From the
Assign Policies section, toggle the Select radio button
next to the policy to attach to the group:
You can filter policies using the Filter by Policy input.
Click Save to save the group with the newly attached policy. All
users with membership in that group inherit the attached policy in addition to
the user’s own explicitly assigned policy and other group-attached policies.
The following procedure assumes use of a MinIO Console instance
deployed as part of the MinIO Tenant. Since Kubernetes restricts external
access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an
Ingress resource
configured to grant external access to the MinIO Tenant and Console.
MinIO uses Policy-Based Access Control (PBAC) to determine which actions and
resources to which a MinIO user has access. The user also inherits
the policies attached to each group in which it has membership. The total
set of permissions for a given user are both its explicitly assigned and
inherited policies.
The following procedure uses the MinIO Console to change user membership
in a group.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Group Management Interface
Open the MinIO Console in your browser and log in with your credentials.
From the Console, click Groups in the left hand navigation. If
the Admin navigation group is collapsed, click on it to expand
the section and view the Groups navigation item.
2) Change Group Membership
Click the row of the group for which you want to manage MinIO Tenant user
membership to open the Edit Group modal:
The Edit Group modal displays inputs for adding or removing
MinIO Tenant users from the group:
From the Edit Members section, toggle the Select
checkbox for each user to add or remove from the group. A highlighted or
“active” checkbox indicates the user has membership in the group. An empty or
“inactive” checkbox indicates the user does not have membership in the group.
You can filter users using the Filter by Users input.
Click Save to save the membership changes. All users with membership
in that group inherit the attached policy in addition to the user’s own
explicitly assigned policy and other group-attached policies.
The following procedure assumes use of a MinIO Console instance
deployed as part of the MinIO Tenant. Since Kubernetes restricts external
access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an
Ingress resource
configured to grant external access to the MinIO Tenant and Console.
The following procedure uses the MinIO Console to enable or disable
a group on the MinIO Tenant. Users cannot inherit policies attached to a
disabled group.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Group Management Interface
Open the MinIO Console in your browser and log in with your credentials.
From the Console, click Groups in the left hand navigation. If
the Admin navigation group is collapsed, click on it to expand
the section and view the Groups navigation item.
The Group interface shows all existing MinIO groups.
2) Select the Group to Enable or Disable
Click the row for the Group to open the Edit Group modal:
3) Enable or Disable the Group
The toggle in the top-right hand corner of the Edit Group
modal displays the current state of the MinIO group.
If the toggle displays Enabled, the group is currently enabled.
If the toggle displays Disabled, the group is currently disabled.
Click the toggle to change the state of the group.
Click Save to save the changes. MinIO ignores disabled
groups for the purpose of authorizing
a user.
The following procedure assumes use of a MinIO Console instance
deployed as part of the MinIO Tenant. Since Kubernetes restricts external
access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an
Ingress resource
configured to grant external access to the MinIO Tenant and Console.
The following procedure uses the MinIO Console to delete a group on the MinIO
Tenant. Users with membership in that group can no longer inherit the policy
attached to that group.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Group Management Interface
Open the MinIO Console in your browser and log in with your credentials.
From the Console, click Groups in the left hand navigation. If
the Admin navigation group is collapsed, click on it to expand
the section and view the Groups navigation item.
2) Delete the Group
To delete a group, click the Trash icon to open the
Delete User modal:
You must confirm group deletion by clicking Delete from the modal.
Hybrid Cloud Object Storage
Baremetal
Erasure Code Calculator
Reference Hardware
