Skip to main content

Add, edit or delete a system access group


System access groups are only available to on-premises customers. You must be a SuperAdmin to add a system access group.

To add a system access group:

  1. Select User menu > SuperAdmin > Groups.

  2. Select an existing group to edit, or select Add group to create a new group.


    To find groups you can use the quick filter dropdown or the search field in the top left, or use the up/down arrows at the top of each column to sort.

  3. Fill out the form with:

    • Group name: Choose something that reflects the purpose, permissions and capabilities you will assign to this group.

    • Type: Select System.


      You can also add an access group at an organization level. However, if you add access groups at a system level, you have the option of creating cross-organization groups.

      Cross-organization groups might be helpful if you have a security team that supports multiple business units that each have their own organization.

      Members of a cross-organization group are able to switch between organizations by selecting the name in the user menu.

    • System access: Select the organization you want this group to access.

    • Role: Select the system role you want the members of this group to have within the corresponding organization.

    • Select Add system access to add more organizations and roles.

  4. Next to Members, on the right, type ahead to select one or more users to assign to the group. Select the X to delete members.


    Users can belong to many groups. They don't have to be created within a particular organization in order to gain access to that organization.

  5. When you are finished, select Add to create the new group, or select Save if you are editing an existing group. The members you added to this group will now have permissions that correspond to their role.


    If users are assigned to two groups with conflicting roles for all applications or organizations, the role that provides the most restrictive access applies.

    Note that only organization and application level groups are visible to a user, if you are confused about your access level, it may be that stricter permissions have been imposed at a system level.

    However, a role assigned to a specific application overrides a role assigned to all applications, even if the application-specific role is more permissive than the role given to all applications.

    If a user is assigned to two custom groups that provide roles for the same application, the role with the least privilege applies.

    System, organization and application roles are listed in order from most to least permissive.

    In the following examples of conflicting role permissions, permissions in Group 2 take precedence.

    Group 1

    Group 2 (takes precedence)

    Application Editor for all applications

    Application Viewer for all applications

    Organization Viewer for all applications

    Application Administrator for the Red application

    RulesAdmin for the Red application

    No Access for the Red application


To delete a group, select User menu > SuperAdmin > Groups. Find the group you want to delete and select the Delete icon in that row.

Once this is confirmed, the group is removed and any access provided by that group is revoked from all users assigned to the group.