User Groups and Group Restriction

  • Updated on Mar 18, 2025
  • Published on Feb 6, 2025
  • 10 minute(s) read
  • DL
  • Migration Team
 Prev Next

User Groups: Appearance

Location: Site Configuration > User Settings > Groups

User Groups represent a way to regulate access to module items on a per-item basis, so that only users who belong to a group associated with a particular item can access the item. This section discusses how to create User Groups within a site and assign them to the site users, and how to use Group Restriction to control users’ access to items based on the groups they are assigned to.

Please, note that the appearance of the User Groups page changes from version 9.97.

image091.png

Fig.1.: User Groups configuration page before version 9.97

Screenshot_2020-07-13_at_14.45.49.png

Fig.2.: User Groups configuration page: Settings version 9.97+

Screenshot_2020-07-13_at_14.47.11.png

Fig.3.: User Groups configuration page: Groups List version 9.97+

Screenshot_2020-07-13_at_14.47.31.png

Fig.4.: User Groups configuration page: Groups Tree version 9.97+

Group Selection Mode

Starting from version 9.97 it is possible to set the group selection mode: Manual or Assigned by action. In case "Assigned by action" group selection module is selected, user groups will be assigned to a user solely by "Create Assign User Groups" actions configured in User Management module. This setup will not allow manual assignment of user groups to users, meaning that user group list will be read-only in edit user window both in Site and System Configuration.

Screenshot_2020-07-13_at_14.50.06.png

User Groups: Create, Read, Update, Delete operations

User Groups are created on a site-wide basis. To create a User Group, follow these steps:

  1. Go to Site Configuration > User Settings > Groups and click New User Group on the toolbar.

  2. In the dialog box that opens, type a name for the group in the Name box.

  3. Select a Parent group if you use group hierarchy on your site.

  4. Click OK to save the user group.

image092.png

Rather than create groups one by one it is possible to import multiple groups at once respecting the hierarchical relations between them. Having the list of groups in Excel like

image094.png

it is possible to Copy and Paste them into the “Import User Groups” window.

The parent groups are separated by line break and child groups are identified by TAB delimiter.

image096.png

This will create the next group tree:

image098.png

Note!

  • Avoid commas in groups names if used together with Assign by User Group actions.

  • First row with new entries takes precedence on insert; duplicate entries or conflicting entries are ignored.

Every group you create within a site can be assigned to the site users, which can later be used in regulating users’ access to items in a particular module.

To add a user to a User Group, follow these steps:

  1. Go to Site Configuration > Users > Active Users (you can also add inactive users to Users Groups, in which case you should select Inactive Users and then follow the same steps as given below).

  2. Locate the user you need. To do that, either use the search form at the top of the user list, or click the tab labeled with the letter the user name starts with.

  3. Click the Edit icon next to the user name, and then click the Site Information tab in the dialog box that opens. Existing groups are listed under User Groups.

  4. To add the user to a User Group, select the checkbox opposite the group name in the Access column. To remove the user from the group, clear the checkbox.

User Groups selected in Access can also be selected in the Pre-Select column. Selecting checkboxes in this column defines user access to items in modules with the Show and pre-select type of Group Restriction. Please, see Group Restriction for details.

image100.png

Fig.13.: Adding a user to a User Group

Site Configuration > {Module} > Settings

Group Restriction Types

Most of the Encodify module types support several types of Group Restriction, all of which serve to restrict access to module items to users belonging to a particular group or groups. By default, Group Restriction is disabled in a module. To enable it, follow these steps:

  1. Go to the Settings section of the module configuration menu and click Edit Settings on the toolbar.

  2. Select the type of restriction from the Group Restriction drop-down list:

  • None — no group restriction will be imposed on items in the module, i.e. users will have access to items regardless of what groups they are in.

  • Automatically — only users belonging to the same group as the user who creates an item will be able to access it.

  • Manual will allow the user to manually select User Groups allowed to access an item. Groups are selected in the Groups menu of the item information window. Thus any user belonging to a group authorized to access a particular item will be able to change the Group Restriction settings for the item.

  • Show and pre-select will automatically restrict access to items of the module to users belonging to the groups marked as Pre-Select in the User Groups settings of the user who creates a particular item. If the user has no Pre-Select groups, no group restriction will initially be imposed on any items this user creates. However, the user will be able to manually define the Group Restriction settings when creating an item, by going to the Groups menu of the item information window and selecting User Groups allowed to access the item.

  • Assigned by Action. If no groups assigned to the item it is available only to its creator (not to everyone as it is for manual or automatic group restrictions). Site and System administrators still have full access despite of groups restrictions. User groups can be assigned to item only by “Assign user groups” action execution on creating/updating item.

  1. Select the Inactivate group restriction on search results check box if you want relevant items to appear in search results regardless of whether or not the user who runs the search is authorized to access them.

  2. The Require Group Access option is available when “Manual” or “Show and Preselect” is selected as group restriction for the module. If the option is selected, the user will not be able to create an item without assigning it at least one of the group.

  3. The Allow Parent Groups checkbox when “Manual” or “Show and Preselect” is selected as group restriction for the module. If enabled, a user is able to see items assigned to parent group even if she is not a direct member of this group.

Note! Unlike common users, Site and System administrators will be able to create items that will be available to everybody, by leaving the “Everybody can access this item” setting on the “Groups” tab.

image101.png

Fig.14.: Applying Group Restriction to a module

To rename a User Group, follow these steps:

  1. Go to Site Configuration > User Settings > Groups and click the Edit icon next to the User Group that you want to rename.

  2. In the dialog box that opens, type a new name for the User Group and click OK to save your changes.

  3. To delete a User Group, click the Edit icon next to it, and then click Delete on the toolbar of the dialog box that opens.

image103.png

Fig.15.: Edit a User Group

User Group hierarchy

In order to have different access levels inside a group of users, it is possible to define the hierarchy of groups. It means, that each group can have a parent group and several subgroups. A user who belongs to the parent group has access to items assigned to this group and all its subgroups. A user who belongs to the subgroup has access only to items assigned to this subgroup, and not to items assigned to the parent group.

To clarify this let’s see on this example:

Assuming to have the next group hierarchy.

group1
|— group2
|— group3
|— group4

Each user has specific group access and each item is accessible for a particular group.

The derived decision table shows if the user has access to the item or not:

item1 (group 1)

item2 (group 2)

item3 (group 3)

item4 (group 4)

user1 (group 1)

yes

yes

yes

yes

user2 (group 2)

no

yes

no

no

user3 (group 3)

no

no

yes

yes

user4 (group 4)

no

no

no

yes

If checkbox “Grant group access for items from parent groups” is enabled in Module settings, the user access will be like this:

item1 (group 1)

item2 (group 2)

item3 (group 3)

item4 (group 4)

user1 (group 1)

yes

yes

yes

yes

user2 (group 2)

yes

yes

no

no

user3 (group 3)

yes

no

yes

yes

user4 (group 4)

yes

no

yes

yes

Note! Be careful with deleting the parent group. When you delete a parent group with one or more subgroups, all its subgroups will be deleted too (you will see the warning message first). Items assigned to deleted groups will become accessible to every user.

Assign User Group

This task performs assigning the required multiple user groups to item automatically on Create/Update item according to the group names values stored in item’s fields.

The following configuration options are present when configuring Assign User Group action:

  • sourceFields - this parameter assigns user groups ignoring group hierarchy and accepts a comma-separated list of field IDs.

  • level1 (level2... levelN) - does user group assignment and creation respecting user group hierarchy.

  • assignGroupsToItem - should be set to true when assignment of user groups to item on action event is needed.

  • assignGroupsToUser - parameter to be used solely in actions of the User Management module. Will assign mapped fields values representing user groups to a user.  Precondition for using this should be: "Assigned by action" set as User group selection mode in Site Configuration > User settings > User Groups. Note, that assignGroupsToItem parameter should be set to false, if assignGroupsToUser is set to true.

  • createGroups - when set to true, will create user group corresponding to the mapped field's value in case group has not been created previously.  This parameter can be used both for assignment of the groups to users and to items. Note, that new user groups will not be created in case sourceFields parameter is used as user groups source.

Please note the following action setup differences in versions prior to 9.97 and after

  • The 2 configuration options listed above are available starting from version 9.97. For earlier versions, only sourceFields parameter can be used.

  • Prior to version 9.97 it was possible to specify group id or group name in field mapped in user group assignment. Starting from version 9.97 only name is accepted.

  • resetExisting task parameter is removed in 9.97 - previously assigned groups are always overwritten.

  • Assignemt of user groups by actions will onæy be done in case groups restriction type of the module is set to "Assigned by action"

Please, note the following know behavior and limitations related to the Create/Assign User groups functionality

  • Assignment of group restriction by the configured actions in regular modules works only when group restriction type in module Settings is set to "Assigned by action". Please note that assignment of user groups to users by actions, are not controlled by group restriction type of the user management module, only by the “Group Selection Mode” setting in User group - Settings.

  • It is important to make sure that actions assigning user groups to users have assignGroupsToItem set to “false”

  • "Overwrite existing" action setting has been removed and is now always true

  • Assignment of user groups will now be done only by group name, assignment by group ID is no longer supported

  • Previously existing "Assign user group actions" are converted to a new type of action "Assign/Create User Groups" that supports group hierarchy. Configurations existing prior to version 9.97 will not be changed.

  • User group hierarchy cannot have missing parent values. In such cases assign group action will fail.

  • Assignment of user groups will also fail in case duplicate value (already existing group) is present. (e.g. Same subgroup under different parent)

  • Assigning user groups it is important to specify correct level. User group will not be assigned or created if it is present on another level than specified in action settings.

  • Assignment/creation of user groups using group hierarchy is only possible when all the levels starting from root (level 1) are specified. The following configuration will not work and it will not be possible to save the action:

    level2=id
    level3=id

  • Modified field values mapped for user groups assigmenmt will not modify previously created user groups. New user group will be created instead

  • To use the automatic group assignment by actions during bulk user import, field values mapped needs to be passed in the request. Also note that user groups should not be present in API request for bulk user creation.

  • Assigning user groups by actions cannot be used together with automatic assignment of user groups by the IDP. It means that, if you have IDP configuration that assigns user groups to a user, action cannot be used.

Related articles