Governance Groups

Governance groups enable scoped, delegated administration — letting a team govern a slice of the directory (their org unit, their apps) without granting them global admin.

Admin console: /admin/governance-groups

Concepts

Governance group — a named set of admins with a defined scope (the users/resources they may act on).
Scope — the boundary of authority. The default is GLOBAL (a no-op narrowing). Narrower scopes restrict an admin's target set.
Narrows-only enforcement — scoping can only restrict. Super-administrators and the bootstrap admin always keep the global fast-path and are never newly restricted.

How it works

Scoped enforcement is applied to target-user admin operations (delete, update, set-password, send-invitation, identity-unlink). When a scoped admin acts on a user, the RBAC service checks the target is within their governance scope; out-of-scope targets are refused. Global/super admins bypass the check entirely.

Typical setup

/admin/governance-groups → create a group and add member admins.
Define the scope (e.g. an org unit, a set of applications).
The scope is enforced automatically on the governed admin operations.

Approval Chains — use a governance group as an approver set.

Concepts​

How it works​

Typical setup​

Related​

Concepts

How it works

Typical setup

Related