Skip to content

Groups

Groups are logical groupings of users used for notification and alerting within the Zaita platform. When an event occurs that requires attention — such as a Bridge going offline or a certificate renewal failing — the platform sends email notifications to all members of the group assigned to the affected resource.

Groups have no relation to role-based access control. Group membership does not grant or restrict any permissions. A user's access is determined solely by their assigned roles.

How Groups Are Used

Groups can be assigned to platform resources to control who receives notifications when issues arise. The following resource types support group assignments:

Bridges

The group assigned to a Bridge is notified when:

  • A Bridge goes offline or loses connectivity with the control plane.
  • A Bridge fails to complete a scheduled scan.
  • A Bridge requires attention, such as a manual update.

Target Systems

The group assigned to a Target System is notified when:

  • A certificate renewal fails on the target system.
  • A certificate deployment encounters an error.
  • A deployed certificate is approaching expiry without a pending renewal.

Couriers

The group assigned to a Courier is notified when:

  • A Courier loses connectivity or fails authentication.
  • A Courier encounters an error processing a request.

Default Groups

The platform provides a set of default groups that correspond to the built-in roles:

Default Group Description
Super Administrators Users responsible for overall platform administration
PKI Administrators Users responsible for Local PKI, integrations, and domain management
Deployment Administrators Users responsible for target systems, Bridges, and Couriers
Policy Administrators Users responsible for certificate policy management
Report Operators Users with reporting and dashboard access

Default groups are provided as a convenient starting point. They are not linked to role assignments — adding a user to the PKI Administrators group does not grant them the PKI Administrator role, and vice versa.

Creating Custom Groups

You can create custom groups to match your organisation's team structure or operational workflows. For example:

  • A Network Operations group for on-call engineers who need to respond to Bridge or connectivity alerts.
  • A Web Platform Team group assigned to target systems hosting your public-facing services.
  • A Security Team group assigned across multiple resources for broad visibility into certificate issues.

To create a custom group:

  1. Navigate to Admin → Groups in the web portal.
  2. Select Create Group.
  3. Enter a name and optional description for the group.
  4. Add users to the group.
  5. Save the group.

Once created, the group can be assigned to any Bridge, Target System, or Courier.

Managing Group Membership

Group membership is managed through the web portal:

  1. Navigate to Admin → Groups.
  2. Select the group to modify.
  3. Add or remove users as required.
  4. Save changes.

A user can belong to multiple groups simultaneously. Users will receive email notifications from every group they are a member of, so consider group assignments carefully to avoid excessive notifications.

Assigning Groups to Resources

To assign a group to a resource:

  1. Navigate to the resource's configuration page (e.g. CLM → Bridges, CLM → Target Systems, or CLM → Couriers).
  2. Select the resource to configure.
  3. Under the notification or group assignment section, select the group to assign.
  4. Save the configuration.

Each resource can have one or more groups assigned. When an event triggers a notification, all members of all assigned groups are notified.

Best Practices

  • Align groups with operational responsibility — assign groups based on who is responsible for responding to issues, not based on organisational hierarchy.
  • Avoid over-notifying — assign groups deliberately to prevent alert fatigue. Not every team needs visibility into every resource.
  • Use custom groups for cross-functional teams — the default groups mirror the built-in roles, but your notification needs may not align with role boundaries. Create custom groups to reflect how your teams actually operate.
  • Review group membership regularly — as team members change roles or leave the organisation, update group membership to ensure notifications reach the right people.