diff --git a/docs/production-deployment/cloud/get-started/api-keys.mdx b/docs/production-deployment/cloud/get-started/api-keys.mdx
index 2cf558ea07..a8f213b5cc 100644
--- a/docs/production-deployment/cloud/get-started/api-keys.mdx
+++ b/docs/production-deployment/cloud/get-started/api-keys.mdx
@@ -1,7 +1,7 @@
---
id: api-keys
-title: Manage API keys
-sidebar_label: Manage API keys
+title: Authenticate with API keys
+sidebar_label: Authenticate with API keys
description: Temporal Cloud supports secure programmatic access through API key authentication, ensuring user-level and RBAC-based authorization.
slug: /cloud/api-keys
toc_max_heading_level: 4
diff --git a/docs/production-deployment/cloud/get-started/billing-and-cost.mdx b/docs/production-deployment/cloud/get-started/billing-and-cost.mdx
index efe826bd0a..57a24bb983 100644
--- a/docs/production-deployment/cloud/get-started/billing-and-cost.mdx
+++ b/docs/production-deployment/cloud/get-started/billing-and-cost.mdx
@@ -1,7 +1,7 @@
---
id: billing-and-cost
title: Usage and Billing Management
-sidebar_label: Usage and Billing Management
+sidebar_label: Usage and billing
sidebar_position: 3
description: As an Account Owner, you can access and manage billing details anytime, with invoices available for download on the Billing page. Typical billing cycles begin on the first of the month (UTC).
slug: /cloud/billing-and-cost
diff --git a/docs/production-deployment/cloud/get-started/certificates.mdx b/docs/production-deployment/cloud/get-started/certificates.mdx
index a8c6438fa2..79c9083cc1 100644
--- a/docs/production-deployment/cloud/get-started/certificates.mdx
+++ b/docs/production-deployment/cloud/get-started/certificates.mdx
@@ -1,7 +1,7 @@
---
id: certificates
-title: Manage certificates
-sidebar_label: Manage certificates
+title: Authenticate with mTLS certificates
+sidebar_label: Authenticate with mTLS certificates
description: Temporal Cloud supports mTLS, which requires CA certificates for secure communication. Keep certificates updated to avoid disruptions in Workflow Execution. Manage and update certificates easily via the Temporal Cloud UI or tcld tool.
slug: /cloud/certificates
toc_max_heading_level: 4
diff --git a/docs/production-deployment/cloud/get-started/namespaces.mdx b/docs/production-deployment/cloud/get-started/namespaces.mdx
index 699e0325d8..61113ccd58 100644
--- a/docs/production-deployment/cloud/get-started/namespaces.mdx
+++ b/docs/production-deployment/cloud/get-started/namespaces.mdx
@@ -1,8 +1,8 @@
---
id: namespaces
-title: Manage Namespaces
-sidebar_label: Manage Namespaces
-description: A Namespace is an isolation unit within the Temporal Platform, providing security boundaries, Workflow management, unique identifiers, and gRPC endpoints in Temporal Cloud.
+title: Namespaces
+sidebar_label: Namespaces
+description: A Namespace is a unit of isolation within Temporal Cloud, providing security boundaries, Workflow management, unique identifiers, and gRPC endpoints in Temporal Cloud.
slug: /cloud/namespaces
toc_max_heading_level: 4
keywords:
@@ -11,15 +11,15 @@ keywords:
- introduction
- namespaces
- temporal cloud
- - term
tags:
+ - Concepts
- Namespaces
- Temporal Cloud
---
import { CaptionedImage, ZoomingImage } from '@site/src/components';
-A Namespace is a unit of isolation within the Temporal Platform.
+A Namespace is a unit of isolation within Temporal Cloud, providing security boundaries, Workflow management, unique identifiers, and gRPC endpoints in Temporal Cloud.
- [Create a Namespace](#create-a-namespace)
- [Access a Namespace](#access-namespaces)
diff --git a/docs/production-deployment/cloud/get-started/user-groups.mdx b/docs/production-deployment/cloud/get-started/user-groups.mdx
new file mode 100644
index 0000000000..b76b618a99
--- /dev/null
+++ b/docs/production-deployment/cloud/get-started/user-groups.mdx
@@ -0,0 +1,175 @@
+---
+id: user-groups
+title: Manage user groups
+sidebar_label: Manage user groups
+description: Learn how to manage user groups, members, and roles
+slug: /cloud/user-groups
+toc_max_heading_level: 4
+keywords:
+ - explanation
+ - how-to
+ - temporal cloud
+ - temporal cloud account
+ - user groups
+tags:
+ - Users
+ - User groups
+ - Security
+ - Temporal Cloud
+---
+
+## What are user groups?
+
+User groups can be used to help manage sets of users that should have the same
+access. Instead of separately assigning the same role to individual users, a user group can be
+created, assigned the desired roles, and then users added to the user group. This
+eases the toil of managing individual user permissions and can simplify access management. When
+a new role is needed, it can be added to the group once and all users' access will reflect the
+new role.
+
+User groups can be assigned both [account-level roles](/cloud/users#account-level-roles) and [namespace-level permissions](/cloud/users#namespace-level-permissions).
+
+One user can be assigned to many groups. In the event that a user's group memberships have multiple roles for the same resource, the user will have an effective role of the most permissive of the permissions. For example if `Group A` grants a read-only role to a namespace, but `Group B` grants a write role to a namespace then a user that belongs to both `Group A` and `Group B` would have the write role to the namespace.
+
+[Service accounts](/cloud/service-accounts) cannot be assigned to user groups.
+
+Only users with the Account Owner or Global Admin account-level [role](/cloud/users#account-level-roles) can manage user groups.
+
+## How SCIM groups work with user groups {#scim-groups}
+
+[SCIM groups](/cloud/scim) work similarly to user groups with respect to role assignment. Unlike a user group, the lifecycle of a SCIM group is fully managed by the SCIM integration which means:
+
+1. SCIM groups cannot be created except through the SCIM integration
+1. SCIM groups cannot be deleted except through the SCIM integration
+1. SCIM group membership is managed through the SCIM integration
+
+User groups and SCIM groups can be used simultaneously in a single Temporal Cloud account. One user may belong to multiple SCIM groups and to multiple user groups.
+
+Using user group and SCIM groups together can be useful when the groups defined in the identity provider (IDP) don't map cleanly to the access you need to grant in Temporal Cloud. Instead of having to update the IDP (which is often sensitive and time-consuming), you can use Temporal Cloud user groups to manage access.
+
+:::info
+
+All user group administration requires an Account Owner or Global Admin account-level [role](/cloud/users#account-level-roles).
+
+:::
+
+## How to create a user group in your Temporal Cloud account {#create-group}
+
+User group names must be 3-64 characters long and can only contain lowercase letters, numbers, hyphens, and underscores.
+
+
+
+
+
+1. Navigate to the [identities page](https://cloud.temporal.io/settings/identities)
+1. Click the Create Group button
+1. Name the group
+1. Assign an account-level role to the group (you can assign namespace-level permissions after the group is created)
+1. Click Save
+
+
+
+
+See the [`tcld` user-group create](/cloud/tcld/user-group/#create) command reference for details.
+
+
+
+See the [Terraform provider documentation](https://registry.terraform.io/providers/temporalio/temporalcloud/latest/docs/resources/group) for details.
+
+
+
+
+## How to assign roles to a user group {#assign-group-roles}
+
+
+
+
+To edit the account role of a group:
+ 1. Navigate to the [identities page](https://cloud.temporal.io/settings/identities)
+ 1. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
+ 1. Click Edit Group
+ 1. Click the Account Role dropdown
+ 1. Select a new account role
+ 1. Click Save
+
+To add namespace permissions to a group:
+ 1. Navigate to the [identities page](https://cloud.temporal.io/settings/identities)
+ 1. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
+ 1. Click Edit Group
+ 1. Click Add Namespaces
+ 1. Under Grant Access to a Namespace, search for the namespace you’d like to add permissions for
+ 1. Select the namespace
+ 1. Click the pencil to edit the permissions for the selected namespace
+ 1. Click Save
+
+To edit or remove namespace permissions from a group:
+ 1. Click Edit Group
+ 1. Click the pencil on a permission to edit it, or the trash can to delete it
+ 1. Click Save
+
+
+
+
+See the [`tcld` user-group set-access](/cloud/tcld/user-group/#set-access) command reference for details.
+
+
+
+See the [Terraform provider documentation](https://registry.terraform.io/providers/temporalio/temporalcloud/latest/docs/resources/group) for details.
+
+
+
+
+## How to manage users in a group {#assign-group-members}
+
+
+
+
+To add users to the group:
+ 1. Navigate to the [identities page](https://cloud.temporal.io/settings/identities)
+ 1. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
+ 1. Click Edit Group
+ 1. Under Members, search for the user you’d like to add
+ 1. Select the user
+ 1. Click Save
+To remove a user from the group:
+ 1. Click Edit Group
+ 1. Under Members, click the X next to the user you’d like to remove
+ 1. Click Save
+
+
+
+
+See the [`tcld` user-group add-users](/cloud/tcld/user-group/#add-users) and the [`tcld` user-group remove-users](/cloud/tcld/user-group/#remove-users) command reference for details.
+
+
+
+See the [Terraform provider documentation](https://registry.terraform.io/providers/temporalio/temporalcloud/latest/docs/resources/group) for details.
+
+
+
+
+## Delete a user group
+
+
+
+
+ 1. Navigate to the [identities page](https://cloud.temporal.io/settings/identities)
+ 1. Find the group to edit (You can filter the list of identities to only show groups to find the relevant group by clicking the Groups tab on the table)
+ 1. Click the dropdown next to the edit button
+ 1. Click Delete
+ 1. Confirm by clicking Delete
+
+
+
+
+See the [`tcld` user-group delete](/cloud/tcld/user-group/#delete) command reference for details.
+
+
+
+See the [Terraform provider documentation](https://registry.terraform.io/providers/temporalio/temporalcloud/latest/docs/resources/group) for details.
+
+
+
+
+
+
diff --git a/docs/production-deployment/cloud/index.mdx b/docs/production-deployment/cloud/index.mdx
index 3ac249991e..e51bc3cdc2 100644
--- a/docs/production-deployment/cloud/index.mdx
+++ b/docs/production-deployment/cloud/index.mdx
@@ -36,6 +36,7 @@ To create a Temporal Cloud account, sign up [here](https://temporal.io/get-cloud
- [Manage API keys](/cloud/api-keys)
- [Manage Namespaces](/cloud/namespaces)
- [Manage users](/cloud/users)
+ - [Manage user groups](/cloud/user-groups)
- [Manage billing](/cloud/billing-and-cost)
- [Manage Service Accounts](/cloud/service-accounts)
- [API key feature guide](/cloud/api-keys)
diff --git a/docs/production-deployment/cloud/manage-access/index.mdx b/docs/production-deployment/cloud/manage-access/index.mdx
new file mode 100644
index 0000000000..d1c42873e8
--- /dev/null
+++ b/docs/production-deployment/cloud/manage-access/index.mdx
@@ -0,0 +1,25 @@
+---
+id: index
+title: Account Access
+slug: /cloud/manage-access/
+description: Manage access to your Temporal Cloud account
+toc_max_heading_level: 3
+keywords:
+ - introduction
+ - temporal cloud
+tags:
+ - API
+ - Certificates
+ - Security
+ - Temporal Cloud
+ - User groups
+ - Users
+---
+
+Temporal Cloud offers several ways to manage access to your Temporal Cloud account.
+
+- [**Users**](/cloud/users) - Manage individual user accounts and permissions
+- [**User Groups**](/cloud/user-groups) - Organize users into groups for simplified access management
+- [**Service Accounts**](/cloud/service-accounts) - Configure service accounts for automated access
+- [**SAML**](/cloud/saml) - Configure SAML-based single sign-on integration
+- [**SCIM**](/cloud/scim) - Use your IDP to manage Temporal Cloud users and access via SCIM integration
diff --git a/docs/production-deployment/cloud/tcld/user-group.mdx b/docs/production-deployment/cloud/tcld/user-group.mdx
new file mode 100644
index 0000000000..f7b9a18613
--- /dev/null
+++ b/docs/production-deployment/cloud/tcld/user-group.mdx
@@ -0,0 +1,164 @@
+---
+id: user-group
+title: tcld user group command reference
+sidebar_label: user-group
+slug: /cloud/tcld/user-group/
+toc_max_heading_level: 4
+keywords:
+ - cli reference
+ - tcld
+tags:
+ - Temporal Cloud
+ - tcld
+ - User groups
+---
+
+The `tcld user-group` commands manage user groups in Temporal Cloud.
+
+Alias: `ug`
+
+- [tcld user-group add-users](#add-users)
+- [tcld user-group create](#create)
+- [tcld user-group delete](#delete)
+- [tcld user-group get](#get)
+- [tcld user-group list](#list)
+- [tcld user-group list-members](#list-members)
+- [tcld user-group remove-users](#remove-users)
+- [tcld user-group set-access](#set-access)
+
+## add-users
+
+The `tcld user-group add-users` command adds users to the specified user group in Temporal Cloud.
+You must set `--group-id` to specify the group to add users to.
+
+Alias: `au`
+
+The following flags control the behavior of the command.
+
+#### --group-id (-id)
+
+Specify the ID of the group to add users to.
+
+#### --user-email (-e)
+
+Specify the email of the user to add. This flag can be specified multiple times to add
+multiple users in one command
+
+
+## create
+
+Creates a user group.
+
+Alias: `c`
+
+The following flags control the behavior of the command.
+
+#### --display-name
+
+The display name of the group.
+
+#### --account-role
+
+The account role that the group should have. One of `admin`, `read`, `developer`, `owner`, `financeadmin`, `none`.
+
+#### --namespace-role (-nr)
+
+Specifies a namespace role that the group should have. Can be repeated multiple times to add
+multiple namespace roles to the group. Value is the form of `-` where the namspace ID is the full ID of the namespace and role is one of `admin`, `read`, or `write`. Example: `mynamespace.abc123-read` adds the read role for the `mynamespace.abc123` namespace.
+
+## delete
+
+Deletes the user group.
+
+Alias: `d`
+
+The following flags control the behavior of the command.
+
+#### --group-id (-id)
+
+Specify the ID of the group to delete.
+
+## get
+
+Gets the user group details.
+
+Alias: `g`
+
+The following flags control the behavior of the command.
+
+#### --group-id (-id)
+
+Specify the ID of the group to list.
+
+## list
+
+List the user groups in your Temporal Cloud account.
+
+Alias: `l`
+
+The following flags control the behavior of the command.
+
+#### --page-size (-s)
+
+The number of groups to list per page. Defaults to 10.
+
+#### --page-token (-p)
+
+The page token used when paginating through result pages.
+
+## list-members
+
+Lists all of the members of a group.
+
+Alias: `lm`
+
+The following flags control the behavior of the command.
+
+#### --group-id (-id)
+
+Specify the ID of the group to list.
+
+## remove-users
+
+Removes one or more users as members of the group.
+
+Alias: `ru`
+
+The following flags control the behavior of the command.
+
+#### --group-id (-id)
+
+Specify the ID of the group to remove users from.
+
+#### --user-email (-e)
+
+The email address of the user to remove from the group. This flag can be specified multiple times in order to remove multiple users with one command.
+
+## set-access
+
+This command sets the access roles that for a group. It follows the same conventions as the [create](#create) command by specifying an optional account role and 0 or more namespace roles.
+
+Alias: `sa`
+
+#### --group-id (-id)
+
+Specify the ID of the group to set access.
+
+#### --account-role
+
+The account role that the group should have. One of `admin`, `read`, `developer`, `owner`, `financeadmin`, `none`.
+
+#### --namespace-role (-nr)
+
+Specifies a namespace role that the group should have. Can be repeated multiple times to add
+multiple namespace roles to the group. Value is the form of `-` where the namspace ID is the full ID of the namespace and role is one of `admin`, `read`, or `write`. Example: `mynamespace.abc123-read` adds the read role for the `mynamespace.abc123` namespace.
+
+#### --append (-a)
+
+Will append namespace roles instead of replacing all existing roles already assigned. This allows namespace roles to be added without knowing what roles are already assigned to the group.
+
+#### --remove (-r)
+
+Will remove the given namespace roles instead of replacing all existing roles already assigned. This allows namespace roles to be removed without knowing what roles are already assigned to the group.
+
+
diff --git a/sidebars.js b/sidebars.js
index db695dc634..9d27f0d14d 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -338,12 +338,26 @@ module.exports = {
id: "production-deployment/cloud/get-started/index",
},
items: [
- "production-deployment/cloud/get-started/certificates",
- "production-deployment/cloud/get-started/api-keys",
"production-deployment/cloud/get-started/namespaces",
- "production-deployment/cloud/get-started/users",
+ "production-deployment/cloud/get-started/api-keys",
+ "production-deployment/cloud/get-started/certificates",
"production-deployment/cloud/get-started/billing-and-cost",
+ ],
+ },
+ {
+ type: "category",
+ label: "Account Access",
+ collapsed: false,
+ link: {
+ type: "doc",
+ id: "production-deployment/cloud/manage-access/index",
+ },
+ items: [
+ "production-deployment/cloud/get-started/users",
+ "production-deployment/cloud/get-started/user-groups",
"production-deployment/cloud/get-started/service-accounts",
+ "production-deployment/cloud/saml",
+ "production-deployment/cloud/scim",
],
},
{
@@ -434,8 +448,6 @@ module.exports = {
},
"production-deployment/cloud/worker-health",
"production-deployment/cloud/service-health",
- "production-deployment/cloud/saml",
- "production-deployment/cloud/scim",
"production-deployment/cloud/operation-api",
"production-deployment/cloud/terraform-provider",
{
@@ -483,6 +495,7 @@ module.exports = {
"production-deployment/cloud/tcld/nexus",
"production-deployment/cloud/tcld/request",
"production-deployment/cloud/tcld/user",
+ "production-deployment/cloud/tcld/user-group",
"production-deployment/cloud/tcld/version",
],
},