Skip to main content

Group

A collection of users and service accounts that share the same access level within your organization.

Groups are the primary mechanism for managing access control in Massdriver. Rather than assigning permissions to individual users, you add them to groups that define what they can see and do.

Built-in groups — Every organization starts with an Admins group (organization_admin role) and a Viewers group (organization_viewer role). These cannot be deleted.

Custom groups — Create custom groups with the CUSTOM role to grant project-level access. Each custom group can be assigned project_admin or project_viewer on specific projects.

Members — Both human users and service accounts can be group members. Users live under members and are added via addAccountToGroup (auto-adds existing org members or sends an invitation otherwise). Service accounts live under serviceAccounts and are added via addServiceAccountToGroup.

type Group {
  id: ID!
  name: String!
  description: String
  role: GroupRole!
  createdAt: DateTime!
  updatedAt: DateTime!
  policies(
    filter: PoliciesFilter
    sort: PoliciesSort
    cursor: Cursor
  ): PoliciesPage
  members(
    sort: GroupMembersSort
    cursor: Cursor
  ): AccountsPage
  invitations(
    sort: GroupInvitationsSort
    cursor: Cursor
  ): GroupInvitationsPage
  serviceAccounts(
    sort: ServiceAccountsSort
    cursor: Cursor
  ): ServiceAccountsPage
}

Fields

Group.id ● ID! non-null scalar {#id}

Unique identifier for this group.

Group.name ● String! non-null scalar {#name}

Human-readable name displayed in the UI and API responses.

Group.description ● String scalar {#description}

Optional text explaining the purpose of this group.

Group.role ● GroupRole! non-null enum {#role}

The access level this group grants to its members.

Group.createdAt ● DateTime! non-null scalar {#created-at}

When this group was created (UTC).

Group.updatedAt ● DateTime! non-null scalar {#updated-at}

When this group was last modified (UTC).

Group.policies ● PoliciesPage object {#policies}

Paginated list of ABAC policies attached to this group as the principal.

Group policies define what every member of the group can do across the organization.

Group.policies.filter ● PoliciesFilter input {#group-policies-filter}

Narrow the list by effect or action. Filters combine with AND.

Group.policies.sort ● PoliciesSort input {#group-policies-sort}

How to sort results. Defaults to oldest first.

Group.policies.cursor ● Cursor input {#group-policies-cursor}

Cursor from a previous page to fetch the next set of results.

Group.members ● AccountsPage object {#members}

Paginated list of human accounts that are members of this group.

Service accounts are exposed separately via serviceAccounts — pair both queries when rendering the full membership of a group.

Group.members.sort ● GroupMembersSort input {#group-members-sort}

How to sort results. Defaults to email ascending.

Group.members.cursor ● Cursor input {#group-members-cursor}

Cursor from a previous page to fetch the next set of results.

Group.invitations ● GroupInvitationsPage object {#invitations}

Paginated list of pending invitations to this group. Visible to organization admins only.

Pending invitations are users who have been invited by email but have not yet accepted. Once accepted, the row is replaced by a GroupMembership and no longer appears here. Non-admin callers receive null here with a top-level forbidden error so the rest of the response still resolves; viewers should query Viewer.invites for their own invitations.

Group.invitations.sort ● GroupInvitationsSort input {#group-invitations-sort}

How to sort results. Defaults to email ascending.

Group.invitations.cursor ● Cursor input {#group-invitations-cursor}

Cursor from a previous page to fetch the next set of results.

Group.serviceAccounts ● ServiceAccountsPage object {#service-accounts}

Paginated list of service accounts in this group.

Human accounts are exposed separately via members — pair both queries when rendering the full group membership.

Group.serviceAccounts.sort ● ServiceAccountsSort input {#group-service-accounts-sort}

How to sort results. Defaults to name ascending.

Group.serviceAccounts.cursor ● Cursor input {#group-service-accounts-cursor}

Cursor from a previous page to fetch the next set of results.

Returned By

group query

Member Of

GroupPayload object ● GroupsPage object ● Policy object