Appearance
Manage Groups
A Group is a per-Domain ReBAC principal collection. A Group is either manual (membership edited directly) or idp (membership pinned to an IdP claim value). plexctl group wraps /v1/admin/groups.
Prerequisites
- An authenticated session — see Log in with plexctl.
- The Domain UUID. For an IdP-synced Group, the IdP binding UUID — see Manage IdP bindings.
Steps
Create a Group
shell
# Manual Group
plexctl group create --domain <domain-uuid> \
--slug platform-admins --display-name "Platform admins" --source manual
# IdP-synced Group (membership follows the claim value)
plexctl group create --domain <domain-uuid> \
--slug sre --display-name "SRE" --source idp \
--idp-binding-id <binding-uuid> --claim-value sreThe manual/idp source is fixed at creation; only --display-name is mutable via plexctl group update <group-uuid> --display-name ….
Manage membership (manual Groups)
shell
plexctl group member add --group <group-uuid> --kind user --principal-id <user-uuid> --source manual
plexctl group member list --group <group-uuid>
plexctl group member remove --group <group-uuid> --kind user --principal-id <user-uuid>--kind is one of user, service_identity, or group. Membership source must match the parent Group's source.
Retire a Group
shell
plexctl group delete <group-uuid> --yesVerification
shell
plexctl group member list --group <group-uuid> --output json | jq 'length'See also
../../reference/cli/plexctl/group.md— every flag and exit code.../../contexts/identity/groups.md— resolver semantics and IdP-sync drift.