Invidual Permissions vs Groups

Hi,

I’ve got an Enterprise License and I am trying to get the permissions configured the way I want them. One of the issues I encountered is that when you manage a user from the Users screen of the organisation, each user can have their own permissions to folders.

Theres also a groups section with associations in groups. If I remove all permissions from users on their individual pages, will the Group policy take precedence over that?

Thanks

Hey @creodejamie yes, for scalability, it is best to manage permissions through groups so that as you provision and deprovision users, they automatically receive the indicated permissions.

Hey, thanks for coming back, so if I remove individual permissions for all users they will default back to their groups permissions?

That is correct :+1:

I think the individual vs group collection access boils down to one thing, scalability and granularity.

  • Groups allow you to add multiple people to the same group or multiple groups and access collections based on the permissions of those groups.

  • Individual allows for a bit more granular control, say in a case that an individual person needs access to a single collection, but not all collections as part of a group.
    Say someone in accounting needed access to a marketing portal for payment, but not have access to all of the collections the Marketing group would have access to (like social media accounts etc), this can be done by assigning the collection individually to that user and not for the whole group.

Depending on how big your team is, there is also the option of have collections like /employees/staff 01 etc… you can add an ‘x’ to the front to keep it at the bottom of the collections list, but can be useful for small scale sharing but keeping with groups/collections associations.

Yeah this makes sense in terms of scalability. Ideally I do want to use groups over individual permissions I just couldn’t find much in the documentation about how they work alongside individual permissions and if say a Marketing Person was not checked on the Marketing folder, would they lose access even though they have it in a group.

Feels like the answer is the group would still allow them access to that folder.

Generally most software will check at a group level then the user role, if a collection is assigned by the group then the user will gain access to that collection.

One good thing to note, with the further granular permissions for Groups/Users, you can allow a Group access to a Collection with restrictive permissions, and if a few Users need more accessible permissions then they can be assigned individual permission to View passwords or Edit capabilities.
i.e. A group for IT Staff may need Read Only access to a specific Collection, but perhaps a team-lead or designee in the IT Staff group can be assigned individual User permission to the Collection for editing and viewing.