User Groups Overview

A user group is a collection of permission sets that determine access to objects for a group of users. Users that should be afforded the same access to an object are added to user groups in the appropriate workspace or project. A user group can be assigned to a workspace, project, portfolio, report, file, idea, custom log, or program.

How are user groups inherited?

User groups are owned by a workspace, which means that they can be inherited by workspaces and projects below the owning workspace in the hierarchy. The owning workspace for a user group is the workspace it was created at or the owning workspace of the project that the user group was created at. The owning workspace does not control access, but instead determines where the user groups become available to be assigned.

User groups created at the workspace level are automatically inherited by child workspaces and projects, where they are available to be modified and assigned as needed. User groups created at the project level will only be available to that project.

Since workspace user groups are inheritable and customizable, they should be created as high in the workspace hierarchy as possible so that they are available to be assigned in all child workspaces and their projects.

How are users added to user groups?

Users are assigned to user groups at the workspace or project where they should gain access. For example, if you assign User A to User Group 1 in Workspace X, then the user will gain access to Workspace X and its child workspaces. This won't grant User A access to the objects that User Group 1 is assigned to in the parent workspace of Workspace X.

Can users be added to more than one user group?

Yes. A user in multiple user groups assigned to the same object has access to that object with all permissions assigned by the user groups of which they are a member. For example, if they are granted the Add Project privilege in one user group that they are assigned to but not another, they will still be granted the Add Project privilege.

Do user groups grant access as soon as they are created and users are added?

No. User groups need to be directly assigned to a workspace, project, portfolio, report, file, idea, custom log, or program for access to be granted. Before a user group is assigned to an object, no access has been granted to users in the user group, even to the owning workspace of the user group.

Users added to a user group after the user group has been assigned to an object will automatically gain access to those objects.

Multiple user groups can be assigned to the same object.

Where are user groups managed, and who can create and edit user groups?

User groups can be managed at the Global Admin, workspace, or project level.

In Global Admin, user groups in the application can be managed by application administrators, workspace and project administrators, and users with the user group privilege for a project or workspace. While application administrators have access to all user groups, all other users who manage user groups in Global Admin can only view user groups for workspaces and projects that they have access to.

User groups can also be managed from the Summary & Settings of a workspace or from the Project Team app of a project. At the workspace or project level, only user groups for that object and inherited user groups can be managed by administrators and by users with the User Groups privilege at that level.

User groups can be assigned to workspaces and projects on the Global Admin User Groups page. They can be assigned to all objects at the object level as well.