Groups make it easy to control access to Applications across your entire organization. Groups empower security admins to easily grant roles to Members to multiple applications from a centralized location.  This article discusses how to use the Groups functionality. 

What are Groups?

Groups is a security feature that allows Security Admins to combine multiple Members into a Group and assign them Roles across an entire Workspace. When Members are added to a Group, they can be assigned Roles to multiple Applications. Members can be added to multiple different Groups to be able to adjust to your security requirements.

Benefits of Groups

Groups makes it easy to assign, track, and maintain Member Roles across the entire Workspace in a centralized location without writing any code or formulas. Quickly add access to new Applications for multiple people in a few clicks. When a new Member joins your team, you can add them to a Group for access to all relevant Applications for their team. 

How do Groups work?

There are two elements to Groups:

• the Members that are part of the Group
• the access or Roles that are assigned through that Group

As a reminder, Roles define the access, actions, default Board access, and Access rights settings within an Application.

The first step in creating a Group is to define which Roles for various Applications should be included. When categorizing your Groups, it's essential to consider which Members will need consistent access across multiple Applications. 
 

Each Member can have only one Role per Application. When organizing your Groups, if you need to assign different Roles to Members within the same Group, you'll need to split the Group into separate Groups. Since Members can belong to multiple Groups, you don’t need to worry if a single Group doesn't cover all access needs for a member.

For example, if you want to create a Finance Group with some Members as Admins and others as Readers, you would create two Groups: Finance - Admins and Finance - Readers.

After defining the Roles and Applications for the Group, the next step is adding Members. Members must be added to the Workspace before they can be included in a Group.

How do Groups work with existing Application Role configurations?

There are two other ways to assign Member’s roles:

• Manually assigned Roles. You can use the Groups feature in Applications where Members are assigned Roles manually.
  If a Member already has a Role in an Application, by default they’re not impacted by any Group configuration. However, if a Member hasn’t a Role in an Application, you can add them to an Application through a Group configuration. You can confirm if a Member has been added to an Application using a Group configuration in your Application’s Settings page. 
  
  Do the following: 
  1. Open Roles, permissions & access, and locate the required Member.
  2. Click the down arrow their Role.
  A Group icon and the status Through Member Group is displayed underneath their Role.
   

  When using Groups to assign Application Roles, a new Metric called User groups roles (System) may appear in the Security folder. This is a protected, Pigment-generated system Metric, which can’t be modified. To remove this Metric, switch the Role assignment back to a dynamic formula, which automatically removes it from the folder.

• Roles assigned dynamically using a formula.  You cannot use the Groups feature in Applications where Roles are assigned by a formula.

  As your Application grows in complexity or if you plan for future scalability, it might be beneficial to switch to using Groups. 
  
  However, if you already have Applications where Roles are assigned using formulas, you'll need to take an additional step before transitioning to Groups. You must first remove the formula from the Users Role Metric of the Application. When the formula is removed, you can then proceed with assigning Members to the Application Roles.

  We highly recommend using Groups instead of formulas to manage access to multiple Applications as it allows for simplified management. It’s possible to revert to Application Role assignment back to assignment through formulas.
  
  Do the following: 
  1. Open Roles, permissions & access in your Application.
  2. Click the menu (...) beside Invite Members.
  3. Click Assign Roles dynamically. 

What happens if a Member is assigned two different Roles?

If a Member is assigned two different Roles through Groups, it’s flagged as a conflict.  A conflict is when a Member is in two different Groups, and each Group has a different Role for an Application. For more information, see Identify Role conflicts in Group assignment. 

For example, let’s say a Member belongs to both the Finance Modeler Group and the Finance Admin Group. If the Finance Modeler Group assigns them a Modeler Role, and the Finance Admin Group assigns them an Admin Role for the same Application, a conflict will occur.

When a conflicts occurs, no Role is assigned to the Member for that Application.

Create Groups in Pigment

For more information on adding Members using Groups, see Use Groups to Assign Roles.