Skip to main content

Device groups

Device groups let you organize and manage access to your devices. A device group has a user-defined name (no space characters). It must be unique among device groups within a team.

You can assign users and devices to a device group. Users can see devices that are assigned to any of the same groups they are.

The nRF Cloud portal allows grouping, sorting, and filtering of device lists by device groups.


The Firmware Update (FOTA) service requires you to group the devices included in an update by assigning them to a device group.

Device access restriction

If no device groups are assigned to any devices or users, all users can access all devices.

You can use device groups alongside roles to define which users can access which devices. Roles are a general restriction while device groups are a more specific restriction.

Only a user with an admin role can assign groups to devices and users. Editor and viewer access to devices is restricted according to their role. Admins are never restricted.

Devices and users can have any number of groups assigned to them.

The rules of access to a device for a non-admin user depend on the groups assigned to the device and user, as shown in the table.

User's groupsDevice's groupsDevice visible to user?
nonegroup-Bno 2, except for4
group-Agroup-Bno3, except for4
group-A, group-Bgroup-B, group-Cyes3

(1) Any user can access a device that has no groups assigned.

(2) If that user has no device groups assigned, they cannot access a device that has any device groups assigned. They can only access devices with no groups assigned.

(3) If that user has any device groups assigned, they can access a device that has any of the same device groups assigned. They cannot access a device that has device groups but none of those groups match any groups assigned to the user. They can still access devices with no groups assigned.

(4) The exception is for Bluetooth LE devices: Since they are attached to a gateway that may handle any number of Bluetooth LE devices, it is important for all users to see all devices attached to a gateway. If the user can see the gateway (using the rules above), they can always see all devices attached to it, regardless of the device groups assigned to them. Access to those gateways and Bluetooth LE devices are limited by roles and device groups.

The REST API requests ListDevices and FetchDevice does not show any of the device's device groups that the requesting user is not assigned to.

An editor user is allowed to delete devices. The exception is when the device is a member of a group that the editor is not a member of, and that group has any users assigned to it. In that case, deletion is not allowed.

You can organize devices into groups without restricting user access, by giving all users the admin role, or by adding all device groups to all editor and viewer users.

An admin can restrict a device to admin-only access by assigning it to a device group that is not assigned to a non-admin.