Group Access and Permissions
Context and Why This Exists
Groups are the main access boundary inside an organisation. Group access lets you decide whether a group is available through member defaults or only to specifically selected people and teams.
What the Feature Does
The group Team dialog controls internal access for one group.
You can:
- Turn member baseline access on or off.
- Add member-specific overrides.
- Add team-specific overrides.
- Review baseline, override, and effective access.
How to Use It
- Go to Groups.
- Find the group you want to manage.
- Click Team.
- Review Member baseline access.
- Use Group access to choose whether member defaults apply.
- Use Member Overrides for individual exceptions.
- Use Team Overrides when a whole team needs access.
Member Baseline Access
Member baseline access controls whether internal member defaults apply to the group.
If the group shows Baseline access on, members can use their default access level for this group.
If the group shows Restricted, member defaults do not apply. Access must come from a tenancy admin role, member override, team override, or guest share.
Example: a user may normally have Member - Edit across open groups, but a confidential client group can be marked Restricted. That user will not see the restricted group unless they receive a member override or team access.
Member Overrides
Use Member Overrides to give one internal member higher access to this group than they would otherwise have.
Member overrides are additive. They upgrade access; they do not downgrade someone below their member default or team access.
Example: if someone is Member - View, you can make them Group Editor or Group Manager for one group.
Example: if someone has Member - No Baseline Access, you can still give them Group Viewer, Group Editor, or Group Manager access for one specific group.
Team Overrides
Use Team Overrides to give every active member of a team access to this group.
Team overrides support:
- Group Viewer
- Group Editor
- Group Manager
Guests are not eligible for team access.
Example: if the Corporate team has Group Editor access for a client group, every active member of the Corporate team receives that access. When someone is removed from the team, that team-based access is removed.
Permission Levels
| Access level | What it allows |
|---|---|
| Group Viewer | View group data and diagrams. |
| Group Editor | View and edit group data and diagrams. |
| Group Manager | View, edit, delete group data, and manage group access for that group. |
| Tenancy Admin | Full organisation-level administration and group access. |
Edge Cases and Expected Behavior
If an override option is not available, the selected member probably already has that level of access or stronger access through their default role or a team.
If a member still sees a restricted group after you remove a direct override, check whether they belong to a team that still has access.
If Team is not visible on a group, you do not have permission to manage access for that group.
Best Practice
Keep group access simple:
- Use member defaults for ordinary groups.
- Use teams for recurring working groups.
- Use member overrides for one-off exceptions.
- Restrict groups only when baseline access should not apply.
If most users should see most groups, keep baseline access on and restrict only sensitive groups. If groups should be department-specific, turn baseline access off and grant access through teams.