Group Access Control

The type of the currently logged-in user determines the group actions allowed to the user.

  • Before the user is not logged in, they cannot perform any group action. If the user tries to perform any action, they will get an error.

  • By default, a group member can read and write the data in the group.

  • Only a group owner is allowed to add and remove group members, assign a new group owner, and delete the group. If other users attempt to perform these actions, they will get an error.

  • When changing the group owner, a non-member can be assigned as the new owner. In this case, the new owner automatically becomes a member.

  • Any non-member can access groups themselves, such as getting an existing group with a URI and checking group members and the owner. Accessing buckets and KiiObjects in the group, however, is not allowed.

Permissions to take actions against the group are system-defined and cannot be modified. However, you can change permissions to take actions aginst buckets and objects in the group scope by using features described in Securing Data.

User not logged in User logged in Administrator
Anonymous user Non-group member Group member Group owner
Creating a new group - Yes Yes
Referencing an existing group - Yes Yes Yes Yes
Accessing data in the group scope *1 - - Yes Yes Yes
Adding and removing group members - - - Yes Yes
Changing the group owner - - - Yes Yes

*1 Subject to the ACL settings and the group actions.

Note: A thing (with its access token) cannot perform any group actions against a group that owns the thing.

You can perform all operations with the app administrator token. If you want to allow a non-group member to add a new member, you can create server code that uses the app administrator token to add a new group member and execute the server code manually (when using the server code, ensure adequate security).