Skip to main content


Identity and Access Management (IAM) group has too many members (Manual)


Alert when an IAM group has more than your specified maximum number of members. Reduce number of group members to be less than your specified maximum number of members. IAM group membership frequently grants access to resources and features. Group memberships that have too many members might represent overly permissive privileges given to too many users.


From Console:

  1. Login to OCI console.
  2. Select Identity from Services menu.
  3. Select Groups from Identity menu, or select Domains, select a domain, and select Groups.
  4. Click the name of a group with too many members.
  5. Check the box next to any users to remove from the group.
  6. Click Remove user from group.
  7. Click Remove user from group to confirm the removal.
  8. Repeat steps 3-7 for all groups with too many members.

From CLI:

  1. Execute the following command to locate IDs of users belonging to a group:

    oci iam group list-users --group-id <group_id> --query 'data[].{"ID":id,"Name":name}' --output table
  2. For each group with too many members, execute the following command to remove a user from the group:

    oci iam group remove-user --group-id <group_id> --user-id <user_id>