> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Assign Roles for Enterprise Groups
> Learn how to assign and remove roles for Enterprise Groups using the Auth0 Dashboard or Management API.
Auth0 allows you to assign and remove [roles](/docs/manage-users/access-control/rbac) for SCIM-provisioned Enterprise Groups using the Auth0 Dashboard or Management API. When roles are assigned to a group, all members inherit those roles at log in. You can manage group roles at two scopes:
* **Organization Groups** — Enterprise Groups within a specific [Organization](/docs/manage-users/organizations). Requires [Auto-Membership](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership) enabled on the enterprise connection for role inheritance to take effect.
* **Enterprise Groups** — Enterprise Groups scoped to your Auth0 tenant.
## Assign roles
### Organization Groups
Assign roles to SCIM-provisioned Enterprise Groups within an Organization. Enterprise Groups are synced from an enterprise identity provider (such as Okta or Microsoft Entra ID) via SCIM. When an Organization member logs in, they inherit any roles assigned to the Enterprise Groups they belong to.
The Organization's enterprise connection must have [Auto-Membership enabled](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership) for group role inheritance to take effect. To learn more about how Enterprise Groups are provisioned, read [Configure Inbound SCIM](/docs/authenticate/protocols/scim/configure-inbound-scim#use-groups-with-organizational-roles).
1. Go to [Dashboard > Organizations](https://manage.auth0.com/#/organizations) and select the Organization.
2. Select the **Groups** tab.
3. Select the group you want to assign roles to.
4. Select **Assign Roles**.
5. Search for and select the roles you want to assign, then select **Assign**.
The assigned roles appear in the group's details.
Make a `POST` call to the [Assign Organization Group Roles](/docs/api/management/v2) endpoint. You need the following information:
| Parameter | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `org_id` | ID of the Organization. |
| `group_id` | ID of the Enterprise Group. |
| `role_id` | ID of the Organization role to assign. Repeat in the array to assign multiple roles at once. |
| `YOUR_MGMT_API_ACCESS_TOKEN` | [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens) with the `create:organization_group_roles` scope. |
```bash wrap lines theme={null}
curl --request POST \
--url 'https://{YOUR_AUTH0_DOMAIN}/api/v2/organizations/{ORG_ID}/groups/{GROUP_ID}/roles' \
--header 'authorization: Bearer YOUR_MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{ "roles": [ "ROLE_ID" ] }'
```
A successful request returns a `204 No Content` response.
### Enterprise Groups
Assign roles to SCIM-provisioned Enterprise Groups. When a role is assigned to a group, all members of that group inherit the assigned role when they log in.
To learn how Enterprise Groups are provisioned from an enterprise identity provider, read [Configure Inbound SCIM](/docs/authenticate/protocols/scim/configure-inbound-scim).
1. Go to [Dashboard > User Management > Enterprise Groups](https://manage.auth0.com/#/groups).
2. Select the group you want to assign roles to.
3. Select the **Roles** tab, then select **Assign Roles**.
4. Search for and select the roles you want to assign, then select **Assign**.
The assigned roles appear in the group's **Roles** tab.
Make a `POST` call to the [Assign Roles to a Group](/docs/api/management/v2) endpoint. You need the following information:
| Parameter | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `group_id` | ID of the Enterprise Group. |
| `role_id` | ID of the role to assign. Repeat in the array to assign multiple roles at once. |
| `YOUR_MGMT_API_ACCESS_TOKEN` | [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens) with the `update:groups` scope. |
```bash wrap lines theme={null}
curl --request POST \
--url 'https://{YOUR_AUTH0_DOMAIN}/api/v2/groups/{group_id}/roles' \
--header 'authorization: Bearer YOUR_MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{ "roles": [ "ROLE_ID" ] }'
```
A successful request returns a `204 No Content` response.
## Remove roles
### Organization Groups
Remove roles from SCIM-provisioned Enterprise Groups within an Organization. Once a role is removed, Organization members in that group will no longer inherit it when they log in.
The Organization's enterprise connection must have [Auto-Membership enabled](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership) for group role inheritance to take effect.
1. Go to [Dashboard > Organizations](https://manage.auth0.com/#/organizations) and select the Organization.
2. Select the **Groups** tab.
3. Select the group you want to update.
4. Locate the role you want to remove, then select the trash icon next to it.
5. Confirm the removal.
The role no longer appears in the group's details.
Make a `DELETE` call to the [Delete Organization Group Roles](/docs/api/management/v2) endpoint. You need the following information:
| Parameter | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `org_id` | ID of the Organization. |
| `group_id` | ID of the Enterprise Group. |
| `role_id` | ID of the Organization role to remove. Repeat in the array to remove multiple roles at once. |
| `YOUR_MGMT_API_ACCESS_TOKEN` | [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens) with the `delete:organization_group_roles` scope. |
```bash wrap lines theme={null}
curl --request DELETE \
--url 'https://{YOUR_AUTH0_DOMAIN}/api/v2/organizations/ORG_ID/groups/GROUP_ID/roles' \
--header 'authorization: Bearer YOUR_MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{ "roles": [ "ROLE_ID" ] }'
```
A successful request returns a `204 No Content` response.
### Enterprise Groups
Remove roles from SCIM-provisioned Enterprise Groups. Once a role is removed, group members will no longer inherit it when they log in.
1. Go to [Dashboard > User Management > Enterprise Groups](https://manage.auth0.com/#/groups).
2. Select the group you want to update.
3. Select the **Roles** tab.
4. Locate the role you want to remove, then select the trash icon next to it.
5. Confirm the removal.
The role no longer appears in the group's **Roles** tab.
Make a `DELETE` call to the [Remove Roles from a Group](/docs/api/management/v2) endpoint. You need the following information:
| Parameter | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `group_id` | ID of the Enterprise Group. |
| `role_id` | ID of the role to remove. Repeat in the array to remove multiple roles at once. |
| `YOUR_MGMT_API_ACCESS_TOKEN` | [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens) with the `update:groups` scope. |
```bash wrap lines theme={null}
curl --request DELETE \
--url 'https://{YOUR_AUTH0_DOMAIN}/api/v2/groups/GROUP_ID/roles' \
--header 'authorization: Bearer YOUR_MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{ "roles": [ "ROLE_ID" ] }'
```
A successful request returns a `204 No Content` response.
## Learn more
* [Configure Inbound SCIM](/docs/authenticate/protocols/scim/configure-inbound-scim)
* [Grant Just-In-Time Membership to an Organization Connection](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership)
* [Add Roles to Organization Members](/docs/manage-users/organizations/configure-organizations/add-member-roles)
* [Remove Roles from Organization Members](/docs/manage-users/organizations/configure-organizations/remove-member-roles)
* [Remove Roles from Users](/docs/manage-users/access-control/configure-core-rbac/rbac-users/remove-roles-from-users)
* [View Roles Assigned to Users](/docs/manage-users/access-control/configure-core-rbac/rbac-users/view-user-roles)