Learn how to create and assign Access groups to control what Records users can view.
Access groups are configurable groups that can be assigned to users to restrict their access to view records based on defined conditions.
Specifically, access groups make it possible to expose certain records only to specific users based on shared user attributes. Groups could be created, for example, for departments, company roles, market regions, etc.
Assigning an access group to a user means that the user can only view records created by users who fulfill the conditions of the access group. If no access group is assigned, no restrictions are applied (default).
While you can create multiple access groups, each user can belong to only one group at a time.
Use case: As a company that works with several agencies, you may want to prevent different agencies from viewing each other's Records. This can be done by creating access groups based on an ‘Agency’ user attribute and then assigning the different agents to the respective access groups. See the Examples section.
User attributes, Access groups, and User roles
User attributes. Input fields that can be set up to collect additional information about a user.
Access group. Based on user attributes, access groups can be configured and then assigned to users to restrict what records they can view.
User roles. Predefined categories that are assigned to users to grant different levels of permissions to access and manage features in the platform.
Creating an Access group
Note: Before creating access groups, ensure you have already created user attributes. Learn about how to create user attributes here.
Based on user attributes, you can build conditions that define what records a member of an access group can view. Access groups appear as a field in the Invite user form and User details panel.
Hence, from the Access groups tab:
- Add and name a new field
- Configure the access group
This consists in setting up conditions based on user attributes, which defines whether a record is shown to the member of the access group.
If the user attributes of the record author fulfil the requirements of the access group, then, the record is shown.
Note: The conditions also apply to the viewing users' own records. If the user attributes of the user do not fulfill the conditions of the access group they are assigned to, they would not be able to see their own records.
- Publish
User match
User match is an option in the configuration of Access groups that allows to set up dynamic access groups.
As the name suggests, it works based on a 'matching' logic. Where:
The user attributes of the record author must match the user attributes of the viewing user. If so, then the record is visible to the user.
You can use different operators to define 3 different levels of match:
Contains only - Exact match
The user attributes of the record author are equal to the user attributes of the (viewing) user.
Contains all - Superset
The user attributes of the record author are equal to the user attributes of the (viewing) user
OR
The user attributes of the record author are a superset of the user attributes of the (viewing) user.
Contains any - Subset
User attributes of the record author are equal to the user attributes of the (viewing) user
OR
The user attributes of the record author are a subset of the user attributes of the (viewing) user.
Record creator | Viewing user | |
DK, UK | DK, UK | 'Contains only' - Exact match |
DK, UK | DK | 'Contains all' - Superset |
DK, UK | DK, UK, SE | 'Contains any' - Subset |
Assigning users to an Access group
Once you created access groups, they will appear as options in a dropdown field in both the User invite form and the User details panel.
Now, you can navigate to the User page and start assigning both new users and existing ones.
Note: You cannot assign an access group to users with a manager or project manager role.
Hence, for new users:
- Open the User invite form
Click ‘Invite user’
- Fill in the User invite form
- Essential information
- User attributes
- Access groups (If not assigned, no restrictions applies)
- User role
- Invite
As for existing users:
- Open the user details panel
Locate the user > Click the more menu (…) > 'Edit user'
- Assign or edit an access group (If not assigned, no restriction apply)
- Save
Note: Restrictions also apply to users' own records. Consider the following scenario:
User has the user attribute: Market - Denmark
The user has been assigned to an access group with the following restriction: Market is UK
In this case, the assigned access group allows the user to view records created only by users whose user attributes 'Market' is 'UK'. However, since the user's own user attribute does not fulfill this criterion, he/she would be unable to see his/her own records.
Examples
Example 1 - Without User match
We want to limit what records agents can view. Agent users should be able to see only the recors other agent users of the same agency created.
Given that we already have the following user attributes:
User attribute 1
Name: Is agent
Field type: checkbox (boolean)
Values: Checked value = true. Unchecked value = false.
User attribute 2
Name: Agency
Field type: dropdown
Values: AgencyABC. Media123.
Conditions: Required when 'Is agent' is checked.
Then, we need to create 2 access groups:
Access group 1
Name: AgencyABC
Condition: Is agent is checked AND Agency is Agency ABC
Access group 2
Name: Media123
Condition: Is agent is checked AND Agency is Media123
Finally, we can assign users to the two access groups either when inviting them or by editing their details.
Detailed instructions (click here)
Hence, from the configuration of User attributes, switch to the 'Access groups' tab. Then:
- Add and name a new field
Click 'Add restrictions' > Name the field 'AgencyABC'.
- Configure the access group
This consists in defining the conditions for which the restrictions are applied:
Scope: All
Expression 1
User value to be evaluated: Is agent
Comparison expression: is checked
Expression 2
User value to be evaluated: Agency
Comparison expression: is 'Agency ABC'
- Repeat the same steps for Media123
- Publish
- Assign users
Navigate to the Users page and assign users that belong to the two different agencies to their respective access groups.
For example, let’s consider we are inviting ‘John’:
- Essential info: Email - [email protected]
- User attributes
- Is agent: Checked
- Agency: AgencyABC
- Access group: AgencyABC
- User role: Editors
Note: Remember? You cannot assign access groups to managers.
In short, John will now only be able to see records created by agents from AgencyABC.
Put differently, John can view only records created by users who fulfill the conditions of the access group ‘Agency ABC’. That is, their user attributes indicate they are agents and the agency is AgencyABC.
Note: Remember? The conditional requirements also apply to viewing users themselves. In this case, it means that if John were to have his user attributes updated to something other than 'Is agent - checked' and 'AgencyABC', he would not fulfill the condition of the 'AgencyABC' access group anymore and he would not be able to see the records he'll create.
Example 2 - Previous example with User match
The previous example can be simplified by using the User match feature.
Hence, given the same setup, we can create 1 dynamic access group instead of 2 by using User match:
Access group
Name: Agent - User match
Condition: Is agent is user match AND Agency is user match
When inviting John, only records created by other users matching his user attributes will be shown.
With this, we obtain the same result as with the two different Access groups in the previous example. However, it is much more efficient as the restrictions are applied by matching the user attributes of the record author and the viewing user without having to define specific values.
Note: User match also prevents the mentioned scenario where John is not able to see the records he created himself.