Learn how to create and assign Access groups to control what Records users can view.




Access groups are configurable groups that can be assigned to users to restrict their access to view records based on defined conditions. 


Specifically, access groups make it possible to expose certain records only to specific users based on shared user attributes. Groups could be created, for example, for departments, company roles, market regions, etc.


Assigning an access group to a user means that the user can only view records created by users who fulfill the conditions of the access group. If no access group is assigned, no restrictions are applied (default).


While you can create multiple access groups, each user can belong to only one group at a time. 

 

Use case: As a company that works with several agencies, you may want to prevent different agencies from viewing each other's Records.

This can be done by creating access groups based on an ‘Agency’ user attribute and then assigning the different agents to the respective access groups. See the Examples section. 


 

User attributes, Access groups, and User roles

  • User attributes. Input fields that can be set up to collect additional information about a user.

 

  • Access group. Based on user attributes, access groups can be configured and then assigned to users to restrict what records they can view.

 

  • User roles. Predefined categories that are assigned to users to grant different levels of permissions to access and manage features in the platform. 

 



Creating an Access group

Note: Before creating access groups, ensure you have already created user attributes. 
Learn about how to create user attributes here


Based on user attributes, you can build conditions that define what records a member of an access group can view. Access groups appear as a field in the Invite user form and User details panel. 



Hence, from the Access groups tab:


  1. Add and name a new field


  1. Configure the access group

This consists in setting up conditions based on user attributes, which defines whether a record is shown to the member of the access group.


If the user attributes of the record author fulfil the requirements of the access group, then, the record is shown.


Note: The conditions also apply to the viewing users' own records. 

If the user attributes of the user do not fulfill the conditions of the access group they are assigned to, they would not be able to see their own records. 


  1. Publish 



User match

User match is an option in the configuration of Access groups that allows to set up dynamic access groups.


As the name suggests, it works based on a 'matching' logic. Where: 


The user attributes of the record author must match the user attributes of the viewing user. If so, then the record is visible to the user.



You can use different operators to define 3 different levels of match:


Contains only - Exact match

The user attributes of the record author are equal to the user attributes of the (viewing) user.

 

Contains all - Superset

The user attributes of the record author are equal to the user attributes of the (viewing) user

OR

The user attributes of the record author are a superset of the user attributes of the (viewing) user.

 

Contains any - Subset

User attributes of the record author are equal to the user attributes of the (viewing) user

OR

The user attributes of the record author are a subset of the user attributes of the (viewing) user.


Record creatorViewing user
DK, UKDK, UK'Contains only' - Exact match
DK, UKDK'Contains all' - Superset
DK, UKDK, UK, SE'Contains any' - Subset




Assigning users to an Access group

Once you created access groups, they will appear as options in a dropdown field in both the User invite form and the User details panel. 


Now, you can navigate to the User page and start assigning both new users and existing ones.



Note: You cannot assign an access group to users with a manager or project manager role. 


Hence, for new users:


  1. Open the User invite form

Click ‘Invite user’ 


  1. Fill in the User invite form
    • Essential information
    • User attributes 
    • Access groups (If not assigned, no restrictions applies)
    • User role


  1. Invite


As for existing users:


  1. Open the user details panel

Locate the user > Click the more menu (…) > 'Edit user'


  1. Assign or edit an access group (If not assigned, no restriction apply)


  1. Save


Note: Restrictions also apply to users' own records. Consider the following scenario:

User has the user attribute: Market - Denmark
The user has been assigned to an access group with the following restriction: Market is UK

In this case, the assigned access group allows the user to view records created only by users whose user attributes 'Market' is 'UK'. However, since the user's own user attribute does not fulfill this criterion, he/she would be unable to see his/her own records. 




Examples

Example 1 - Without User match

We want to limit what records agents can view. Agent users should be able to see only the recors other agent users of the same agency created. 


Given that we already have the following user attributes: 


User attribute 1

Name: Is agent

Field type: checkbox (boolean)

Values: Checked value = true. Unchecked value = false.

 

User attribute 2

Name: Agency

Field type: dropdown

Values: AgencyABC. Media123.

Conditions: Required when 'Is agent' is checked.


Then, we need to create 2 access groups:


Access group 1

Name: AgencyABC

Condition: Is agent is checked AND Agency is Agency ABC

 

Access group 2

Name: Media123

Condition: Is agent is checked AND Agency is Media123

 

Finally, we can assign users to the two access groups either when inviting them or by editing their details. 



Detailed instructions (click here)

 

Hence, from the configuration of User attributes, switch to the 'Access groups' tab. Then:

 

  1. Add and name a new field

Click 'Add restrictions' > Name the field 'AgencyABC'.

 

  1. Configure the access group

This consists in defining the conditions for which the restrictions are applied:

 

Scope: All

Expression 1

User value to be evaluated: Is agent

Comparison expression: is checked

 

Expression 2

User value to be evaluated: Agency

Comparison expression: is 'Agency ABC'

 

  1. Repeat the same steps for Media123


  1. Publish

 

  1. Assign users

Navigate to the Users page and assign users that belong to the two different agencies to their respective access groups.

 

For example, let’s consider we are inviting ‘John’: 


  • Essential info: Email - john.doe@example.com
  • User attributes 
  • Is agent: Checked
  • Agency: AgencyABC
  • Access group: AgencyABC
  • User role: Editors

 

Note: Remember? You cannot assign access groups to managers.


In short, John will now only be able to see records created by agents from AgencyABC. 

 

Put differently, John can view only records created by users who fulfill the conditions of the access group ‘Agency ABC’. That is, their user attributes indicate they are agents and the agency is AgencyABC.


Note: Remember? The conditional requirements also apply to viewing users themselves. 

In this case, it means that if John were to have his user attributes updated to something other than 'Is agent - checked' and 'AgencyABC', he would not fulfill the condition of the 'AgencyABC' access group anymore and he would not be able to see the records he'll create.



Example 2 - Previous example with User match

The previous example can be simplified by using the User match feature.

 

Hence, given the same setup, we can create 1 dynamic access group instead of 2 by using User match:


Access group

Name: Agent - User match

Condition: Is agent is user match AND Agency is user match



When inviting John, only records created by other users matching his user attributes will be shown. 


With this, we obtain the same result as with the two different Access groups in the previous example. However, it is much more efficient as the restrictions are applied by matching the user attributes of the record author and the viewing user without having to define specific values. 


Note: User match also prevents the mentioned scenario where John is not able to see the records he created himself.