Managing Groups

Groups are containers for both users, permissions and other groups. To access the groups, select the Groups tab.

The buttons in the toolbar allows you to create and delete new groups.

Selecting a group in the list allows you to view and edit details of the group.

Members tab

The Members tab shows all members of the selected group recursively, i.e. all users and groups that belong to the selected group, at any level. The Member Via column shows the immediate child of the selected group that the row belongs to. If Member Via is empty, the row is an immediate child of the selected group, and it can also be removed as a child, indicated by the delete button at the far right of the row.

In the example above, all groups belong to the root group All for convenience. Admin, Back Office Group, Front Office Group etc. are listed at the top, with Member Via being blank, indicating that they belong directly to All.

Administrator, batch, superuser etc. are also members of All, but Member Via displays Admin which means that these users are member of All because Admin is a member of All.

Because of the flexibility of the group structure, a user or group can be member of a group in more than one way. In such cases, all the relations between the member and the parent are shown in the same row.

Further, if the user (or group) is an immediate member of the selected group, and member via one or more intermediate groups, this is displayed over two rows.

  • One row for the immediate membership, that can be deleted.
  • A second row for all the indirect relationships via intermediate groups, that cannot be deleted.


Member Of

The Member Of tab shows all the selected group's memberships recursively, i.e. all groups that the selected group belongs to, at any level.

The Member Via column displays the immediate parent group that links to the displayed parent (Name). If the selected group is an immediate child of the displayed parent, Member Via is empty, and the relationship can be deleted using the delete button at the far right of the row.

If the selected group is member of a group because of relations with more than one intermediate groups, all groups are displayed on the same row.

In the example above, Management is member of Back Office Group, Front Office Group and Middle Office Group, which in turn are all member of the All group. This is displayed on the last row, indicating that Management is member of All via multiple relations.

If Management is also a direct member of All, this relation is displayed on a separate row, that can be deleted.


Effective Permissions

The Effective Permissions tab displays all permissions assigned to the selected group, or any of its parent groups.

The Permitted By column shows the parent group or groups that provide the permission. If Permitted By is blank, the permission is assigned directly to the selected group.

If a permission is assigned via relation to multiple parent groups, all parent groups are shown in Permitted By on the same row.

If the permission is also assigned directly to the selected group, it will also show up on a separate row that can be deleted.

📘

If you have many groups with duplicated effective permissions this is an indication that your permission structure is not fully normalized. See Modeling permissions with roles for best practices on modeling a permission structure.