Add, edit or delete a system access group

Note

System access groups are only available to on-premises customers. You must be a SuperAdmin to add a system access group.

To add a system access group:

  1. Select User menu > SuperAdmin > Groups.

  2. Select an existing group to edit, or select Add group to create a new group.

    Tip

    To find groups you can use the quick filter drop-down or the search field in the top left, or use the up/down arrows at the top of each column to sort.

  3. Fill out the form including:

    • Group name: Choose something that reflects the purpose, permissions and capabilities you will assign to this group.

    • Type: Select System.

      Tip

      If you select Organization you can use this form to add an organization access group. If you create organization groups at a system level, you have the option of creating cross-organization groups.

      Cross-organization groups might be helpful if you have a security team that supports multiple business units that each have their own organization.

      Members of a cross-organization group are able to switch between organizations by selecting the name in the user menu.

    • System access: Select the organization you want this group to access.

    • Role: Select the system role you want the members of this group to have within the corresponding organization.

    • Select Add system access to add more organizations and roles.

  4. Next to Members, on the right, type ahead to select one or more users to assign to the group. Select the X to delete members.

    Note

    Users can belong to many groups. They don't have to be created within a particular organization in order to gain access to that organization.

  5. When you are finished, select Add to create the new group, or select Save if you are editing an existing group. The members you added to this group will now have permissions that correspond to their role.

    Important

    If users are assigned to two groups with conflicting roles for all applications or organizations, the role that provides the most restrictive access applies.

    Note that only organization and application level groups are visible to a user, if you are confused about your access level, it may be that stricter permissions have been imposed at a system level.

    However, a role assigned to a specific application overrides a role assigned to all applications, even if the application-specific role is more permissive than the role given to all applications.

    If a user is assigned to two custom groups that provide roles for the same application, the rule of least privilege applies.

    System, organization and application roles are listed in order from most to least permissive.

    In the following examples of conflicting role permissions, permissions in Group 2 take precedence.

    Group 1

    Group 2 (takes precedence)

    Application Editor for all applications

    Application Viewer for all applications

    Organization Viewer for all applications

    Application administrator for Red app

    RulesAdmin for the Red application

    No Access for the Red application

Tip

To delete a group, select User menu > SuperAdmin > Groups. Find the group you want to delete and select the trash can icon in that row.

Once this is confirmed, the group is removed and any access provided by that group is revoked from all users assigned to the group.