Group membership administration roles

The IamGroupAdmin role can be assigned to a user or a group on the scope of a group to allow them to manage membership of that group.

Note that:

  • The IamGroupAdmin role grants a user or a group the permission to add users to or remove users from a group. The role does not grant permission to manage roles and resources for the group.
  • In order for a user with the IamGroupAdmin to add or remove users from a group, the user must also have the IamUser or IamViewer role that allows listing IAM users and groups within the organization.