# Groups & Access Control

Groups let you organize users into logical teams and assign roles and resource permissions in bulk. **Instead of managing access user by user, add someone to a group and they instantly inherit all of the group's roles and shared resources.**

{% hint style="success" %}
**Simplified Access Management**: Share a project with the "Engineering Team" group once, and every current and future member of that group gets access automatically.
{% endhint %}

## Overview

Groups are part of DarcyIQ's role-based access control (RBAC) system. They solve the problem of managing permissions at scale — when you have dozens of users and hundreds of resources, assigning access individually becomes unmanageable.

| Capability               | Description                                               | Business Impact                            |
| ------------------------ | --------------------------------------------------------- | ------------------------------------------ |
| **Bulk User Management** | Add or remove users from groups in one action             | Manage access for entire teams at once     |
| **Role Inheritance**     | Group members inherit all roles assigned to the group     | Consistent permissions across team members |
| **Resource Sharing**     | Share resources with a group instead of individual users  | One share action covers the entire team    |
| **Automatic Onboarding** | New group members instantly get all group permissions     | No manual permission setup for new hires   |
| **Clean Offboarding**    | Remove a user from a group to revoke all inherited access | Instant, complete access revocation        |
| **Everyone Group**       | System group that automatically includes all org members  | Set org-wide defaults effortlessly         |

## How Groups Work

{% @mermaid/diagram content="graph TD
A\[Create Group] --> B\[Add Members]
B --> C\[Assign Roles]
C --> D\[Share Resources]
D --> E\[Members Inherit<br/>Roles + Access]
E --> F\[New Member Joins]
F --> E" %}

When a user is added to a group, they automatically gain:

1. **Organization roles** assigned to the group (Admin, Member, etc.)
2. **Resource permissions** shared with the group (Editor or Viewer on specific projects, lists, etc.)

When a user is removed from a group, all inherited access is revoked immediately.

## The "Everyone" Group

Every organization has a system-managed **Everyone** group that automatically includes all organization members.

| Property             | Behavior                                                          |
| -------------------- | ----------------------------------------------------------------- |
| **Membership**       | Automatic — all org members are added, cannot be manually changed |
| **Roles**            | Cannot be assigned (prevents accidental org-wide escalation)      |
| **Resource Sharing** | Share a resource with Everyone to give the whole org access       |
| **Management**       | Cannot be renamed, deleted, or have members manually managed      |

{% hint style="info" %}
**Use the Everyone group** to share resources that the whole organization should see — like company-wide knowledge bases, shared templates, or reference lists.
{% endhint %}

## Creating and Managing Groups

### Creating a Group

{% stepper %}
{% step %}
**Navigate to Access Control** Go to **Settings → Access Control** and select the **Groups** tab.
{% endstep %}

{% step %}
**Click "Create Group"** Provide a name and optional description for the group.
{% endstep %}

{% step %}
**Add Members** Search for users in your organization and add them to the group.
{% endstep %}

{% step %}
**Assign Roles (Optional)** Assign organization-level roles to the group. All members will inherit these roles.
{% endstep %}
{% endstepper %}

### Managing Members

| Action            | How                                              | Effect                                               |
| ----------------- | ------------------------------------------------ | ---------------------------------------------------- |
| **Add Members**   | Search users and add individually or in batch    | Users immediately inherit group permissions          |
| **Remove Member** | Click remove on a group member                   | User loses all permissions inherited from this group |
| **View Members**  | Open the group detail to see all current members | Audit who has access                                 |

### Managing Roles

Assign organization-level roles to a group so all members share the same capabilities:

| Role       | Capabilities                                                  |
| ---------- | ------------------------------------------------------------- |
| **Admin**  | Full organizational management, settings, and user management |
| **Member** | Standard access to features and shared resources              |

{% hint style="warning" %}
**Roles assigned to a group apply to all members.** Be careful when assigning Admin roles to groups — every member of that group will gain administrator privileges.
{% endhint %}

## Sharing Resources with Groups

Instead of sharing a project, list, or agent with each user individually, share it with a group:

### How to Share with a Group

1. Open the resource you want to share (project, list, agent, etc.)
2. Click **Share**
3. Switch to the **Groups** tab
4. Search for and select the group
5. Choose the permission level

### Group Permission Levels

| Permission          | Capabilities                          | Use Case                    |
| ------------------- | ------------------------------------- | --------------------------- |
| **Resource Editor** | Read and write access to the resource | Team members who contribute |
| **Resource Viewer** | Read-only access to the resource      | Stakeholders who review     |

{% hint style="info" %}
**Resource Owner** is only assignable to individual users, not groups. The user who creates a resource is automatically its owner.
{% endhint %}

## Permission Evaluation

When a user attempts an action, DarcyIQ evaluates permissions in this order:

1. **Organization roles** — direct roles assigned to the user
2. **Group organization roles** — roles the user inherits from their groups
3. **Direct resource permissions** — permissions assigned to the user on a specific resource
4. **Group resource permissions** — resource permissions the user inherits from their groups
5. If no permission grants access, the action is denied

This means a user's effective permissions are the **union** of their direct permissions and all permissions inherited from every group they belong to.

## Who Can Manage Groups

| Action             | Required Permission       |
| ------------------ | ------------------------- |
| **View groups**    | Any organization member   |
| **Create groups**  | Owner, Admin, or Sysadmin |
| **Update groups**  | Owner, Admin, or Sysadmin |
| **Delete groups**  | Owner, Admin, or Sysadmin |
| **Manage members** | Owner, Admin, or Sysadmin |
| **Manage roles**   | Owner, Admin, or Sysadmin |

## Use Cases

### Team Onboarding

**Scenario**: A new consultant joins the delivery team

1. Add the user to the "Delivery Team" group
2. They instantly gain access to all shared projects, lists, and agents
3. No need to individually share dozens of resources

### Department Access Control

**Scenario**: The sales team needs access to all prospecting lists

1. Create a "Sales Team" group
2. Share all lead lists and prospect research with the group
3. New sales hires automatically get access when added to the group

### Client Engagement Teams

**Scenario**: Rotating team members across client projects

1. Create a group per client (e.g., "Acme Corp Team")
2. Share all Acme-related projects, lists, and knowledge bases with the group
3. Add or remove team members as the engagement evolves

### Organization-Wide Resources

**Scenario**: Company-wide knowledge base access

1. Share the knowledge base with the **Everyone** group
2. All current and future org members automatically have access

## Best Practices

| Practice                           | Recommendation                                                          |
| ---------------------------------- | ----------------------------------------------------------------------- |
| **Mirror your org structure**      | Create groups that reflect real teams — sales, engineering, delivery    |
| **Use descriptive names**          | "AWS Migration Team" is better than "Team A"                            |
| **Minimize role assignments**      | Assign the least-privileged role that allows the group to do their work |
| **Audit regularly**                | Review group membership quarterly to remove departed team members       |
| **Use Everyone sparingly**         | Only share truly org-wide resources with the Everyone group             |
| **Prefer groups over individuals** | Share resources with groups by default for easier long-term management  |

{% hint style="info" %}
**Pro Tip**: When someone leaves your organization, removing them from all groups immediately revokes their inherited access. Combine this with direct permission review for complete offboarding.
{% endhint %}

## Related Documentation

| Topic                       | Documentation                                                                                          |
| --------------------------- | ------------------------------------------------------------------------------------------------------ |
| Managing organization users | [Organization Management](https://docs.darcyiq.com/settings-and-configuration/organization-management) |
| Sharing lists with groups   | [Lists](https://docs.darcyiq.com/workspace/lists)                                                      |
| Agent sharing               | [Agents](https://docs.darcyiq.com/core-features/agents)                                                |
| Project permissions         | [Projects](https://docs.darcyiq.com/workspace/projects)                                                |