Documentation

mc admin group

Description

The mc admin group command manages groups on a MinIO deployment.

A group is a collection of users. Each group can have one or more assigned policies that explicitly list the actions and resources to which group members are allowed or denied access. Groups provide a simplified method for managing shared permissions among users with common access patterns and workloads.

Use mc admin on MinIO Deployments Only

MinIO does not support using mc admin commands with other S3-compatible services, regardless of their claimed compatibility with MinIO deployments.

Groups and Policy-Based Access Control

MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies to a group. Users with membership in the group inherit the group’s assigned policies. A user’s total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.

Newly created groups have no policies by default. To configure a group’s assigned policies, use the mc admin policy attach command.

For more information on MinIO users and groups, see User Management and Group Management. For more information on MinIO policies, see MinIO Policy Based Access Control.

Deny overrides Allow

MinIO follows the IAM standard where a Deny rule overrides Allow rule on the same action or resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

Examples

Create a New Group

Use mc admin group add to create a new group to an S3-compatible host:

mc admin group add ALIAS GROUPNAME MEMBER [MEMBER...]
  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group to create.

  • Replace MEMBER with at least one user on the S3 host. Specify multiple members as a list: MEMBER1 MEMBER2 MEMBER3

List Available Groups

Use mc admin group ls to list list all groups on an S3-compatible host:

mc admin group ls ALIAS
  • Replace ALIAS with the alias of the S3-compatible host.

View Group Details

Use mc admin group info to view detailed group information on an S3-compatible host:

mc admin group info ALIAS GROUPNAME
  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Remove a Group

Use mc admin group rm to remove a group from an S3-compatible host:

mc admin group rm ALIAS GROUPNAME
  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Disable a Group

Use mc admin group disable to disable a group on an S3-compatible host:

mc admin group disable ALIAS GROUPNAME
  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Enable a Group

Use mc admin group enable to enable a group on an S3-compatible host:

mc admin group enable ALIAS GROUPNAME
  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace GROUPNAME with the name of the group.

Quick Reference

mc admin group add TARGET GROUPNAME MEMBERS

Adds a user to a group on the MinIO deployment. Creates the group if it does not exist.

mc admin group info TARGET GROUPNAME

Returns detailed information for a group on the MinIO deployment.

mc admin group ls TARGET

Returns a list of all groups on the MinIO deployment.

mc admin group rm TARGET GROUPNAME

Removes a group on the MinIO deployment.

mc admin group enable TARGET GROUPNAME

Enables a group on the MinIO deployment. Users can only inherit policies assigned to an enabled group.

mc admin group disable TARGET GROUPNAME

Disables a group on the MinIO deployment. Users cannot inherit policies assigned to a disabled group.

Syntax

mc admin group add

Adds an existing user to the group. The command creates the group if it does not exist. The command has the following syntax:

mc admin group add TARGET GROUPNAME MEMBERS

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command adds users to the new or existing group

GROUPNAME

The name of the group. The command creates the group if it does not already exist. Use mc admin group ls to review the existing groups on a deployment.

A group name cannot contain the characters = (equal sign) or , (comma).

MEMBERS

The name of the user to add to the group.

The user must exist on the TARGET MinIO deployment. Use mc admin user ls to review the available users on the deployment.

mc admin group info

Returns details for the group on the target deployment, such as all users with membership in the group and the assigned policies. The command has the following syntax:

mc admin group info TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which to retrieve the group information.

GROUPNAME

The name of the group.

mc admin group ls, list

List all groups on the target MinIO deployment. The command has the following syntax:

mc admin group ls TARGET

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which to retrieve groups.

mc admin group rm, remove

Removes a group on the target MinIO deployment. Removing a group does not remove any users with membership in the group. Use mc admin user rm to remove users from a group.

The command has the following syntax:

mc admin group rm TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to remove the group.

GROUPNAME

The name of the group to remove.

mc admin group enable

Enables the group on the target MinIO deployment. Users can only inherit policies from an enabled group. Groups are enabled on creation by default. The command has the following syntax:

mc admin group enable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to enable the group.

GROUPNAME

The name of the group to enable.

mc admin group disable

Disables the group on the target MinIO deployment. Users cannot inherit policies from a disabled group. The command has the following syntax:

mc admin group disable TARGET GROUPNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to disable the group.

GROUPNAME

The name of the group to disable.