Vault operators can create two types of groups in Vault.

Comprehensive and Detailed In-Depth Explanation:

In HashiCorp Vault, operators can create two distinct types of groups within the Identity secrets engine:external groupsandinternal groups. These groups are used to manage and organize users and policies, facilitating access control and permissions management.

External Groups: These groups are designed to integrate with external identity providers or systems, such as LDAP or OIDC (OpenID Connect). External groups allow Vault to map groups from these external systems to Vault policies, enabling seamless access control for users authenticated via external auth methods. They can be created manually or automatically mapped (e.g., from LDAP group memberships to Vault policies). This is particularly useful when managing users who exist outside of Vault’s internal identity store but need access to Vault resources. The documentation states: "External groups are usually associated with an auth method, such as LDAP or OIDC."

Internal Groups: These are created and managed directly within Vault’s identity store. Internal groups are used to organize Vault entities (representing users or machines) and assign policies to them manually. They are ideal for scenarios where user management is entirely within Vault’s ecosystem, without reliance on external identity providers. The documentation explains: "Internal groups are created in the identity store and map to other groups or entities."

Incorrect Options:

Security Groups: This term is not used in Vault’s context for group types. While security is a core concern, "security groups" do not represent a specific category of groups in Vault.

Policy Groups: Policies in Vault define permissions, but there is no concept of "policy groups" as a distinct group type. Policies are attached to groups, not grouped themselves in this manner.

The distinction between external and internal groups enhances flexibility in managing authentication and authorization, aligning with Vault’s design to support both internal and federated identity systems.