Skip to content

Organizing devices in nRF Cloud

Device groups let you organize and manage access to your devices. A device group contains devices with the same user-defined tag. The tag and group name are the same, and must be unique among device groups within a team. Tags cannot contain whitespace characters.

A team owner or admin can assign access by group to editors and viewers. You can add group permissions when you send a new user invite, or from the Team page in the portal at any other time. Users can see devices that are assigned to any groups they have access to.


Device groups and tags are separate from provisioning groups and tags, and apply to devices onboarded directly to nRF Cloud.

You can also use device groups to define targets for firmware updates.

Device access restriction

If no device groups are assigned to any devices or users, all users in the team can access all devices.

You can combine device groups with roles to define which users can access which devices. Roles are a general restriction, while device groups are a more specific restriction.


Only admins and the team owner can assign groups to devices and users. Editor and viewer access to devices is restricted according to role. Admins and owners are never restricted.

Devices and users can have any number of groups assigned to them.

The rules of access to a device for a non-admin depend on the groups assigned to the device and user, as shown in the following table.

User's groups Device's tags Device visible to user?
none none yes1
group-A none yes1
none group-B no 2, except for4
group-A group-B no3, except for4
group-A, group-B group-B, group-C yes3

(1) Any user can access a device that has no tags assigned.

(2) If a user has no device groups assigned, they cannot access any devices that have tags assigned. They can only access devices with no tags.

(3) If a user has any device groups assigned, they can access devices in those groups. They cannot access devices outside of those groups. They can still access devices with no tags assigned.

(4) The exception is for Bluetooth® Low Energy (LE) devices: Since they are attached to a gateway that can handle any number of Bluetooth LE devices, it is important for all users to see all devices attached to a gateway. If a user can see the gateway (using the rules above), they can always see all devices attached to it, regardless of the device groups assigned to them. Access to those gateways and Bluetooth LE devices are limited by roles and device groups.

The REST API endpoints ListDevices and FetchDevice do not show any of the device's groups that the requesting user is not assigned to. However, the ListMessages endpoint, when no filtering parameters are included, returns messages for all devices associated with an account. This includes devices the user does not have explicit permission to access through device groups.

An editor is allowed to delete devices. The exception is when the device is a member of a group that the editor is not a member of, and that group has any users assigned to it. In that case, deletion is not allowed.

You can organize devices into groups without restricting user access by giving all users the admin role, or by adding all device groups to all editors and viewers.

An admin can restrict a device to admin-only access by re-assigning it to a device group that is accessible only to admins and owners.

Device message restriction

Device messages and alerts are not filtered according to device group. A user on a team can view messages and alerts associated with devices they do not otherwise have access to.

If you want to keep messages hidden for a group of devices, create a separate team for these devices and invite only those users you want to have access.


The Firmware Update (FOTA) service uses device groups to determine update targets. Before you create an update job, assign a tag to the devices you want to target.

See next