Groups are the primary way that users are given access to Resources. Groups have three aspects to them:

1. A list of users that are members of the Group
2. A list of Resources that users in the Group are authorized to access
3. A single Access Policy that determines which Identity Provider authentication applies to access of any Resource in the Group.

Users, Resources and Access Policies may each be part of multiple roles.