Groups
Groups simplify permission management by bundling roles together. Instead of assigning roles to each user individually, you assign roles to a group and add users to that group. Groups also support nesting — a group can contain child groups for hierarchical role inheritance.
Accessing Groups
Navigate to Identity > Groups to access the group management interface.
The list shows all groups in the current tenant:
| Column | Description |
|---|---|
| Group Name | The unique name of the group |
| Description | Optional description of the group's purpose |
Toolbar Actions
| Button | Description |
|---|---|
| New Group | Create a new group |
| Search | Filter groups by name or description |
| Export to Excel | Export the group list to an Excel file |
| Export to PDF | Export the group list to a PDF file |
| Refresh Data | Reload the group list |
Row and Context Actions
| Action | Description |
|---|---|
| Edit | Open the group in the edit form |
| Delete | Delete the group (context menu, with confirmation) |
Default Group: TenantOwners
Every new tenant comes with a TenantOwners group that contains all 10 default roles. Administrators provisioned via admin provisioning are automatically added to this group.
Creating a Group
Click New Group to open the group creation form.
Group Information
| Field | Required | Description |
|---|---|---|
| Group Name | Yes | Unique name for the group |
| Description | No | Description of the group's purpose |
Role Assignments
The Assigned Roles field lets you select which roles members of this group will receive. All members (users and child groups) inherit these roles.
Member Users
The Assigned Users field lets you add users as direct members of this group.
Child Groups
The Member Groups field lets you nest other groups inside this group. Members of child groups inherit the roles of the parent group as well.
Use child groups to build a role hierarchy. For example, an "Engineering Leads" group nested inside an "Engineering" group inherits all Engineering roles plus its own additional roles.
Click Save to create the group or Cancel to discard.
Editing a Group
Click Edit on a group row to open the edit form. The Group Name is read-only in edit mode. All other fields can be modified.
Deleting a Group
Right-click a group and select Delete. Confirm the deletion in the dialog.
Deleting a group removes all role assignments for its members. Users who only received their roles through this group will lose those permissions immediately.
How Role Inheritance Works
When a user belongs to a group, they automatically receive all roles assigned to that group. If the group contains child groups, the inheritance is resolved recursively (up to 10 levels deep):
Group "Operations"
├── Roles: DashboardViewer, ReportingViewer
├── Members: bob
└── Child Group: "Operations Leads"
├── Roles: DashboardManagement, ReportingManagement
└── Members: alice
| User | Effective Roles |
|---|---|
| bob | DashboardViewer, ReportingViewer |
| alice | DashboardViewer, ReportingViewer, DashboardManagement, ReportingManagement |
alice receives roles from both the "Operations Leads" group (direct membership) and the "Operations" group (parent of her group).
Best Practices
- Use groups for role assignment: Avoid assigning roles directly to users. Groups make it easier to manage permissions as your team grows
- Use descriptive names: Choose group names that reflect the team or function (e.g., "Engineering", "Operators", "Viewers")
- Keep the hierarchy shallow: While nesting up to 10 levels is supported, 2-3 levels is usually sufficient
- Use the TenantOwners group for administrators: Add administrators to the existing TenantOwners group rather than creating a new admin group