# Security groups

A security group is a named collection of keys. Security groups are the unit your Signing Policy targets: each rule applies to "keys in group X." A key must belong to a security group before the Signing Policy can govern how it signs. A key in no group matches no rule and is blocked by the default deny-all baseline.

Use security groups to apply different signing rules to different sets of keys. For example, keep high-value withdrawal keys in one group with strict rules and lower-risk keys in another.

## Where to find them

Security groups live on the **Security Groups** sub-tab of the **Offchain Keys** page, alongside the **Keys** tab. The keys table also has a **Security Groups** column showing which groups each key belongs to.

## Create a security group

1. Open **Offchain Keys** and select the **Security Groups** tab.
2. Click **Create New** and choose **Create Security Group**.
3. Enter a **Group Name** (for example, `trading-bots`) and, optionally, a **Description**.
4. Under **Add Keys**, search for and select the keys to include. You can leave this empty and add keys later.
5. Click **Create New Group**.

A key can belong to more than one security group, so the same key can appear in several groups with different rules.

## Manage membership

To change a group's keys, open its row actions on the Security Groups tab, choose **Edit**, and add or remove keys. Membership changes are recorded in the audit log as **Keys Added to Security Group** and **Keys Removed from Security Group** events. You can also review a key's groups from the **Security Groups** column on the **Keys** tab.

## How security groups and Signing Policy fit together

The [Signing Policy](/guide/signing-policy/understanding) is an ordered list of rules evaluated for every signing request. Each rule can filter by security group: "for keys in group X, from users in group Y, take action Z." When a key is used to sign, the policy is evaluated against the groups that key belongs to. Organizing keys into security groups is what lets a single Signing Policy treat different keys differently.

A newly created group has no rules targeting it yet, so signing requests for its keys are denied until you add one. See [Configure a signing policy](/guide/signing-policy/configure).

## Edit or delete a group

From the Security Groups tab, use a group's row actions to **Edit** it (rename, change the description, or change its keys) or **Delete** it. Deleting a group removes the grouping only; the keys themselves are not deleted, but they are no longer matched by rules that targeted the deleted group.
