Groups
Organize users into groups with inherited permissions
Groups in Cased CD Enterprise allow you to organize users and assign permissions at the group level rather than individually.
How groups work
Section titled “How groups work”Groups can come from two sources:
- Identity Provider (IdP) — Groups defined in your SSO provider (Cognito, Okta, etc.)
- ArgoCD local accounts — Groups assigned to ArgoCD local users
When a user logs in, their group memberships are used to determine their permissions via ArgoCD’s RBAC system.
Viewing groups
Section titled “Viewing groups”Navigate to Settings → Groups in the Cased CD UI to see:
- All groups in your system
- Members of each group
- RBAC roles assigned to each group
IdP group integration
Section titled “IdP group integration”AWS Cognito
Section titled “AWS Cognito”Cognito automatically includes groups in the cognito:groups claim:
# Create a groupaws cognito-idp create-group \ --user-pool-id us-west-2_XXXXXXXXX \ --group-name developers \ --region us-west-2
# Add user to groupaws cognito-idp admin-add-user-to-group \ --user-pool-id us-west-2_XXXXXXXXX \ --username user@example.com \ --group-name developers \ --region us-west-2Configure a groups claim in your Okta application:
- Go to Applications → Your App → Sign On
- Edit the OpenID Connect ID Token section
- Add claim:
groupswith filter matching your groups
Other providers
Section titled “Other providers”Most OIDC providers support a groups claim. Consult your provider’s documentation for configuration details.
RBAC configuration
Section titled “RBAC configuration”Map IdP groups to ArgoCD roles in argocd-rbac-cm:
kubectl patch configmap argocd-rbac-cm -n argocd --type merge -p 'data: policy.csv: | # Define roles p, role:developer, applications, get, */*, allow p, role:developer, applications, sync, */*, allow p, role:admin, applications, *, */*, allow p, role:admin, clusters, *, *, allow p, role:admin, repositories, *, *, allow
# Map groups to roles g, developers, role:developer g, admins, role:admin g, platform-team, role:admin'Common patterns
Section titled “Common patterns”Team-based access
Section titled “Team-based access”Give each team access to their applications:
# Frontend team can manage frontend appsp, role:frontend, applications, *, default/frontend-*, allowg, frontend-team, role:frontend
# Backend team can manage backend appsp, role:backend, applications, *, default/backend-*, allowg, backend-team, role:backendEnvironment-based access
Section titled “Environment-based access”Restrict production access:
# Developers can sync to stagingp, role:developer, applications, sync, staging/*, allow
# Only admins can sync to productionp, role:admin, applications, sync, production/*, allowRead-only access
Section titled “Read-only access”For stakeholders who need visibility:
p, role:viewer, applications, get, */*, allowp, role:viewer, logs, get, */*, allowg, stakeholders, role:viewerTroubleshooting
Section titled “Troubleshooting”Groups not appearing
Section titled “Groups not appearing”- Check IdP configuration — Verify groups claim is included in tokens
- Verify group membership — Ensure users are assigned to groups in IdP
- Check ArgoCD logs — Look for OIDC/groups-related errors
kubectl logs -n argocd deployment/argocd-server | grep -i groupPermission denied despite group membership
Section titled “Permission denied despite group membership”- Case sensitivity — Group names are case-sensitive
- Exact match — Group name in RBAC must match IdP exactly
- Token refresh — User may need to log out and back in
Viewing user’s groups
Section titled “Viewing user’s groups”Check a user’s effective groups via ArgoCD:
argocd account can-i sync applications '*' --as user@example.com