Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Linux

mc admin group

Description

The mc admin group command manages groups on a MinIO deployment.

A group is a collection of users. Each group can have one or more assigned policies that explicitly list the actions and resources to which group members are allowed or denied access. Groups provide a simplified method for managing shared permissions among users with common access patterns and workloads.

Use mc admin on MinIO Deployments Only

MinIO does not support using mc admin commands with other S3-compatible services, regardless of their claimed compatibility with MinIO deployments.

Groups and Policy-Based Access Control

MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies to a group. Users with membership in the group inherit the group’s assigned policies. A user’s total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.

Newly created groups have no policies by default. To configure a group’s assigned policies, use the mc admin policy attach command.

For more information on MinIO users and groups, see User Management and Group Management. For more information on MinIO policies, see MinIO Policy Based Access Control.

Deny overrides Allow

MinIO follows the IAM standard where a Deny rule overrides Allow rule on the same action or resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

Examples

Create a New Group

Use mc admin group add to create a new group to an S3-compatible host:

mc admin group add ALIAS GROUPNAME MEMBER [MEMBER...]

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group to create.

  • Replace MEMBER with at least one user on the S3 host. Specify multiple members as a list: MEMBER1 MEMBER2 MEMBER3

List Available Groups

Use mc admin group ls to list list all groups on an S3-compatible host:

mc admin group ls ALIAS

  • Replace ALIAS with the alias of the S3-compatible host.

View Group Details

Use mc admin group info to view detailed group information on an S3-compatible host:

mc admin group info ALIAS GROUPNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Remove a Group

Use mc admin group rm to remove a group from an S3-compatible host:

mc admin group rm ALIAS GROUPNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Disable a Group

Use mc admin group disable to disable a group on an S3-compatible host:

mc admin group disable ALIAS GROUPNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Enable a Group

Use mc admin group enable to enable a group on an S3-compatible host:

mc admin group enable ALIAS GROUPNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Quick Reference

mc admin group add TARGET GROUPNAME MEMBERS

Adds a user to a group on the MinIO deployment. Creates the group if it does not exist.

mc admin group info TARGET GROUPNAME

Returns detailed information for a group on the MinIO deployment.

mc admin group ls TARGET

Returns a list of all groups on the MinIO deployment.

mc admin group rm TARGET GROUPNAME

Removes a group on the MinIO deployment.

mc admin group enable TARGET GROUPNAME

Enables a group on the MinIO deployment. Users can only inherit policies assigned to an enabled group.

mc admin group disable TARGET GROUPNAME

Disables a group on the MinIO deployment. Users cannot inherit policies assigned to a disabled group.

Syntax

mc admin group add

Adds an existing user to the group. The command creates the group if it does not exist. The command has the following syntax:

mc admin group add TARGET GROUPNAME MEMBERS

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command adds users to the new or existing group

GROUPNAME

The name of the group. The command creates the group if it does not already exist. Use mc admin group ls to review the existing groups on a deployment.

A group name cannot contain the characters = (equal sign) or , (comma).

MEMBERS

The name of the user to add to the group.

The user must exist on the TARGET MinIO deployment. Use mc admin user ls to review the available users on the deployment.

mc admin group info

Returns details for the group on the target deployment, such as all users with membership in the group and the assigned policies. The command has the following syntax:

mc admin group info TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which to retrieve the group information.

GROUPNAME

The name of the group.

mc admin group ls, list

List all groups on the target MinIO deployment. The command has the following syntax:

mc admin group ls TARGET

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which to retrieve groups.

mc admin group rm, remove

Removes a group on the target MinIO deployment. Removing a group does not remove any users with membership in the group. Use mc admin user rm to remove users from a group.

The command has the following syntax:

mc admin group rm TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to remove the group.

GROUPNAME

The name of the group to remove.

mc admin group enable

Enables the group on the target MinIO deployment. Users can only inherit policies from an enabled group. Groups are enabled on creation by default. The command has the following syntax:

mc admin group enable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to enable the group.

GROUPNAME

The name of the group to enable.

mc admin group disable

Disables the group on the target MinIO deployment. Users cannot inherit policies from a disabled group. The command has the following syntax:

mc admin group disable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to disable the group.

GROUPNAME

The name of the group to disable.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License