Groups
Groups let you organise users and control which applications each group can access. If you have a team structure (Engineering, Marketing, Finance, etc.) or want to restrict certain apps to specific people, groups are the way to do it.
Create a group
- Go to Settings → Administration → User Groups
- Click New Group
- Enter a name for the group. This is what appears in the UI and in tokens
- Click Save
Add users to a group
Open a group from the list to see its members. Click Add users to search for existing users and add them to the group.
You can also assign users to a group at invite time: when you generate a sign-up link, you can pick one or more groups that new users will be added to automatically.
Restrict an application to specific groups
By default, any active user can log into any connected application. If you want to limit access (for example, only the Engineering team should be able to log into your internal tools), you can restrict an OIDC client to specific groups.
Open the OIDC client from Settings → Administration → OIDC Clients, find the Access section, and enable Restrict to user groups. Then select the groups that are allowed.
Users who aren't in an allowed group will be denied at the consent screen, even if they have an active account.
Custom claims on groups
You can attach custom key-value pairs (called claims) to a group. These get included in the JWT tokens that Permiso issues, which is useful if your application needs to know things like a user's department, role, or subscription tier.
See Custom Claims for details.
Groups and LDAP
If you've connected Permiso to an LDAP directory, groups from that directory can be synced to Permiso groups automatically. Synced groups show an LDAP indicator in the group list and their membership is managed by the directory rather than manually.
See Importing Users for how to set up LDAP sync.