Roles can always be associated with single users. For Enterprise Edition users it is also possible to associate KKP roles with groups as passed via the OIDC login flow. This will assign the role to anyone who is authenticated with the specific group.
/api/v1/me API endpoint returns information about the groups that KKP is aware of.GroupProjectBinding CRD can be used to replicate the UI-based workflow.Group bindings can be configured from the “Groups” project panel.

From this view, new group bindings can be created via the “Add Group” button.

Be aware that group names are not further validated as KKP does not have access to a complete list of groups in the OIDC backend. This way, group permissions can be pre-provisioned even if no user with a specific group membership has signed into KKP yet.
The role associated with a group can be updated later on to reflect changes in responsibilities. Group bindings can later be removed from the list of bindings by deleting it from the list.
Be aware that as of KKP 2.21.0 (when this feature was introduced), there was no group support for MLA Grafana access yet. As of KKP 2.21.2 groups are supported in MLA Grafana.