# Manage groups and permissions

Create and manage user groups to control access permissions and simplify user selection across your workspace applications.

## Group creation and management[​](#group-creation-and-management "Direct link to Group creation and management")

### Creating workspace groups[​](#creating-workspace-groups "Direct link to Creating workspace groups")

Workspace administrators can create necessary groups using the "Groups" app:

* **Organizational structure** - create groups that reflect your team or project structure
* **Functional roles** - establish groups based on job functions or responsibilities
* **Project teams** - create temporary groups for specific projects or initiatives

### Group assignment[​](#group-assignment "Direct link to Group assignment")

Assign workspace participants to appropriate groups:

* **User categorization** - organize users by role, department, or project
* **Permission foundation** - use groups as the basis for access control
* **Flexible membership** - allow users to belong to multiple groups as needed

## Permission levels[​](#permission-levels "Direct link to Permission levels")

### Granular access control[​](#granular-access-control "Direct link to Granular access control")

Define permissions at multiple levels to ensure precise access control:

#### Per-app permissions[​](#per-app-permissions "Direct link to Per-app permissions")

* **Application access** - control which users can access specific applications
* **Feature restrictions** - limit functionality within applications based on user groups
* **Data visibility** - determine what data users can see within each app

#### Per-record permissions[​](#per-record-permissions "Direct link to Per-record permissions")

* **Record-level access** - control access to individual records within applications
* **Ownership-based access** - restrict access based on record ownership or assignment
* **Collaborative access** - allow shared access to records for team collaboration

#### Per-field permissions[​](#per-field-permissions "Direct link to Per-field permissions")

* **Field-level security** - control access to specific fields within records
* **Sensitive data protection** - restrict access to confidential or sensitive information
* **Edit permissions** - determine which fields users can view vs. modify

## Action-based permissions[​](#action-based-permissions "Direct link to Action-based permissions")

### Precondition configuration[​](#precondition-configuration "Direct link to Precondition configuration")

Permissions for performing specific actions are defined in app configurations:

* **Customizable rules** - modify action permissions to match your team's workflow
* **Group-based requirements** - require users to be in specific groups to perform actions
* **Example**: tasks app can require users to be in the "Supervisors" group to "Re-open" tasks

### Workflow integration[​](#workflow-integration "Direct link to Workflow integration")

* **Process control** - ensure only authorized users can perform critical actions
* **Quality assurance** - require approval or review for certain operations
* **Compliance** - enforce organizational policies through permission requirements

## User selection restrictions[​](#user-selection-restrictions "Direct link to User selection restrictions")

### Field-level restrictions[​](#field-level-restrictions "Direct link to Field-level restrictions")

Groups are used to restrict user selection in lookup fields:

* **Targeted selection** - limit user choices to relevant groups
* **Role-based filtering** - show only appropriate users for specific fields
* **Example**: "QA assignee" field could be restricted only to users in the "QA team" group

### Benefits of restricted selection[​](#benefits-of-restricted-selection "Direct link to Benefits of restricted selection")

* **Improved accuracy** - reduce errors by limiting choices to appropriate users
* **Workflow efficiency** - simplify user assignment processes
* **Clear responsibilities** - make it obvious which users are responsible for specific tasks

## Step-by-step examples[​](#step-by-step-examples "Direct link to Step-by-step examples")

## Best practices[​](#best-practices "Direct link to Best practices")

### Group design[​](#group-design "Direct link to Group design")

* **Clear purpose** - define the specific purpose and scope of each group
* **Logical organization** - align groups with your organizational structure
* **Regular review** - periodically assess group membership and effectiveness

### Permission strategy[​](#permission-strategy "Direct link to Permission strategy")

* **Principle of least privilege** - grant only necessary permissions to each group
* **Documentation** - maintain clear records of group purposes and permissions
* **Testing** - verify permissions work as expected before deploying to production

### Security considerations[​](#security-considerations "Direct link to Security considerations")

* **Access audits** - regularly review group memberships and permissions
* **Change management** - implement processes for permission modifications
* **Monitoring** - track permission usage and identify potential issues

Effective group and permission management ensures users have appropriate access to perform their work while maintaining security and data integrity across your workspace.

## Related[​](#related "Direct link to Related")

* [Permissions matrix](/admin-guide/workspace-admin/permissions-matrix.md) - complete reference of permission levels and common access patterns
* [User permissions (end-user guide)](/user-guide/common-features/user-permissions.md) - how permissions look from the end-user perspective
* [ACL evaluation order](/admin-guide/system-admin/acl-evaluation-order.md) - how the four access control layers are evaluated