A finance team of five users needs read access to a specific subscription. You want to manage them as a unit so that adding or removing team members automatically adjusts their access.
Approach: Create a group, invite the users, add them to the group, then assign a single policy to the group.
- An access token with IAM admin permissions
- A configured tenant
- The scope URI for the subscription you want to grant access to
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/groups
curl -i -X POST \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"displayName": "string",
"description": "string"
}'Note the subjectId from the response — you will use it as the subject in the policy.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/invite
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/users/invite
curl -i -X POST \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/users/invite?email=jane.doe%40aritma.com&redirectUrl=https%3A%2F%2Fapp.example.com%2Faccept-invite' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Users become active subjects after they accept the invitation and complete registration. Repeat for each team member.
If your organization owns the email domain, you can verify it and use CreateUserSubject to add users instantly without waiting for invitation acceptance.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups/{groupSubjectId}/members
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/groups/{groupSubjectId}/members
curl -i -X POST \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups/{groupSubjectId}/members' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"subjectIds": [
"string"
]
}'You can add multiple subject IDs in a single request.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/policies
curl -i -X POST \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"subject": "user-00000000-0000-0000-0000-000000000000",
"scope": "/subscriptions/123",
"action": "iam.policy.read"
}'Use the group's subjectId as the policy subject. All current and future members of the group inherit this policy immediately.
- To add more users to the team later, use Add members to a group
- To revoke access for the entire team, delete the policy or delete the group
- To see what the group can currently do, use View group permissions