> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing custom groups

In addition to [default groups](/iam/authorization/groups#default-groups) that come with your tenant when you sign up for Nebius AI Cloud, you can create and manage [custom groups](/iam/authorization/groups#custom-groups) in the tenant and its projects for granular control over permissions. To manage group permissions, create access permits that assign [roles](../roles) for specific resources to the group.

## Prerequisites

The prerequisites for this guide depend on the interface that you use.

<Tabs>
  <Tab title="Web console">
    Make sure you are in a [group](/iam/authorization/groups/index) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
  </Tab>

  <Tab title="CLI">
    1. Make sure you are in a [group](/iam/authorization/groups/index) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
    2. [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI.
    3. Install [jq](https://jqlang.github.io/jq/download/) to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI:

           <CodeGroup>
             ```bash Ubuntu theme={null}
             sudo apt-get install jq
             ```

             ```bash macOS theme={null}
             brew install jq
             ```
           </CodeGroup>
  </Tab>
</Tabs>

## Setting up custom groups

To create a group and set up its permissions, go through the following steps:

<Tabs>
  <Tab title="Web console">
    1. Create a group within your tenant or project:

       1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.
       2. Click **Create entity** and select **Group**.
       3. In the window that opens, specify the group name and define its scope by selecting either your tenant or a specific project in the tenant.
       4. Click **Create** to finish creating the group.

    2. Create an access permit for the group:

       1. Open the newly created group and switch to the **Access permits** tab.

       2. Click **Manage permits**.

       3. In the window that opens, select the resource that you want the group to have access to. The available resources depend on the scope of the group:

          * A group created in a tenant can have permits for the tenant, any projects and resources within it.
          * A group created in a project can only have permits for this project and resources within it.

       4. Select [roles](../roles) to assign to the group. These roles define the permissions of the group members.

       5. Click **Save** to apply your changes.

    3. [Add members](../members) to the group.
  </Tab>

  <Tab title="CLI">
    1. Create a group within your tenant or project:

       ```bash theme={null}
       nebius iam group create \
         --parent-id <tenant_or_project_ID> \
         --name <custom_group_name>
       ```

       In the `--parent-id` parameter, you can specify either the ID of your tenant or the ID of the specific project.

       * `--parent-id`: [Tenant ID](/iam/get-tenants#cli) or [Project ID](/iam/manage-projects#cli-3).

       From the output of this command, copy the group ID to use it in the next step.

    2. Create an access permit for the group:

       ```bash theme={null}
       nebius iam access-permit create \
         --parent-id <group_ID> \
         --resource-id <resource_ID> \
         --role <auditor|viewer|editor|admin|dsr.admin|...>
       ```

       In this command, change the following parameters:

       * `--parent-id`: Group ID that you got on the previous step.

       * `--resource-id`: Resource for which the permit is created. The available resources depend on the scope of the group:

         * A group created in a tenant can have permits for the tenant, any projects and resources within it.
         * A group created in a project can only have permits for this project and resources within it.

       * `--role`: One of the [roles](./roles) that provide a set of permissions.
  </Tab>
</Tabs>

### Examples

<Tabs>
  <Tab title="CLI">
    <AccordionGroup>
      <Accordion title="Project resources editors">
        In this example, you will create a group within a project that gives its members permissions to create, read, update or delete any resources in this project. However, the members of this group will not be able to manage groups and permissions. This set of permissions is provided by the `editor` role.

        Run the following command to create the group and an access permit, and save the group ID to an environment variable:

        ```bash theme={null}
        export PROJECT_EDITOR_GROUP_ID=$(nebius iam group create \
          --parent-id <project_ID> \
          --name my-project-editors \
          --format json \
          | jq -r ".metadata.id")

        nebius iam access-permit create \
          --parent-id $PROJECT_EDITOR_GROUP_ID \
          --resource-id <project_ID> \
          --role editor
        ```

        After the operation is completed, use the group ID in the `PROJECT_EDITOR_GROUP_ID` variable to [add members](./members) to this group.
      </Accordion>

      <Accordion title="Granular permissions within a tenant">
        In this example, you will create a group within a tenant that gives its members permissions to view all resources in the tenant but only manage one specific MysteryBox secret. This set of permissions is provided by the `viewer` and `editor` roles for various resources.

        Run the following command to create the group and access permits, and save the group ID to an environment variable:

        ```bash theme={null}
        export SECRET_EDITOR_GROUP_ID=$(nebius iam group create \
          --parent-id <tenant_ID> \
          --name my-secret-editors \
          --format json \
          | jq -r ".metadata.id")

        nebius iam access-permit create \
          --parent-id $SECRET_EDITOR_GROUP_ID \
          --resource-id <tenant_ID> \
          --role viewer

        nebius iam access-permit create \
          --parent-id $SECRET_EDITOR_GROUP_ID \
          --resource-id <secret_ID> \
          --role editor
        ```

        After the operation is completed, use the group ID in the `SECRET_EDITOR_GROUP_ID` variable to [add members](./members) to this group.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

## Revoking role assignments

To revoke the role that you previously assigned to a group:

<Tabs>
  <Tab title="Web console">
    Remove the access permit that assigned this role:

    1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.
    2. Switch to the **Groups** tab and select the group you want to update.
    3. On the group page, switch to the **Access permits** tab.
    4. Click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/button-vellipsis.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e80b8e57c43bfd117679262e6a1334ad" width="12" height="24" data-path="_assets/button-vellipsis.svg" /> → **Manage permits** next to the name of the resource.
    5. In the window that opens, deselect individual permits or click **Delete permits** to remove all access permits from the group.
  </Tab>

  <Tab title="CLI">
    Delete the access permit that grants this role:

    ```bash theme={null}
    nebius iam access-permit delete --id <access_permit_ID>
    ```

    If you don't know the ID of the access permit, you can list all access permits for a group and find the one you need. Run the following command:

    ```bash theme={null}
    nebius iam access-permit list --parent-id <group_ID>
    ```

    Output example:

    ```yaml theme={null}
    items:
      - metadata:
          created_at: "2025-05-14T11:28:31.685598Z"
          id: accesspermit-***
          parent_id: group-***
        spec:
          resource_id: tenant-***
          role: viewer
    ```
  </Tab>
</Tabs>