Skip to main content
Nederlands
Nederlands

Access: manage groups

What this feature does

group in Epowerhr bundles users together and grants them a set of permissions (the rights to view, add, update or delete things in the system). Every user belongs to one or more groups, and the rights they get are the union of the rights of all their groups.

Three of the four tabs on a group's page cover the day-to-day group admin work:

  • Detail — the group's name, description and group-type flags.
  • Users — who is in the group.
  • Permissions — what the members of the group are allowed to do.

The fourth tab, Restrict access, is described in a separate article — see Restrict access for groups: populations and hierarchy — and is used to narrow which records members can see, on top of their permissions.

Before you start

You will need:

  • The permissions Administer general security and View groups to open any of the group tabs.
  • The additional permission Update group to edit the Detail and Permissions tabs.
  • The permissions Add user to group and Delete user from group to add or remove members on the Users tab.

Open the group

Navigate to Admin → Groups. The list shows every group in the tenant.

  • Click an existing group to open it.
  • Click Add to create a new group. After saving the Detail tab for the first time, the Users, Permissions and Restrict access tabs become available.

The Detail tab

The Detail tab holds the group's identity and its type flags.

Field Notes
Name Required. The display name shown everywhere the group appears (assignment dropdowns, audit logs, etc.). Validation message: "Please provide group name".
Description Free text. Optional. Use it to record the group's intent, especially when the name alone is ambiguous (for example "Access — Training: EmployeeType X").
Security group Flag. Marks the group as one that grants security/permissions. Some admin screens filter on this flag, so the convention is to tick it for groups whose primary purpose is to hand out rights.
Queue group Flag. Marks the group as a work-queue group — i.e. a group used to route work items (training assignments, document approvals, ...) to a team rather than to a single user.
Limit access on the owner Flag, only meaningful when Queue group is on. When ticked, members of the queue group only see records where they personally — or their group — are the owner; other team members' work items in the queue stay hidden. Leave it off for a "shared queue" view where every member sees every item.

Click Save in the action bar to persist your changes.

Tip — Security group vs. Queue group: the two flags are independent. A group can be neither, either, or both. Security group is mainly a classification for filtering in admin screens; Queue group changes how work items are routed and how Limit access on the owner behaves.

The Users tab

The Users tab lists every user that is currently a member of the group.

The list shows three columns:

  • Last name
  • First name
  • Company

If the group has no members yet, the empty-state reads "No results found!".

Add users

  1. Click Add users. A picker opens.
  2. Select one or more users. Use the search box at the top of the picker to narrow the list.
  3. Click Add to group. The selected users are added immediately and appear in the list.

The user's group membership is binary — they either belong to the group or they don't, and the change takes effect on their next request. They do not have to log out and back in for permissions changes alone, but session-cached lookups (for example menu items computed at login) only refresh on the next login.

Remove users

  1. Tick the rows of the users you want to remove.
  2. Click Delete selected users.
  3. Confirm the dialog "Are you sure you want to delete the selected users?". A success toast confirms "The selected users were deleted successfully!".

Note: if the group has Restrict access enabled, removing a user can broaden or narrow what they see in the rest of the system, depending on what their other groups configure. See Restrict access for groups: populations and hierarchy for how restrictions combine across multiple groups.

The Permissions tab

The Permissions tab is where you say what the members of the group are allowed to do. Permissions are organised as a tree, grouped by component (PA, Leave, Training, Talent, Documents, Expenses, …). Each leaf is a single right (for example View trainingAdjust user).

Layout

  • Tree view. Parent nodes group related rights; leaf nodes are individual permissions you tick to grant.
  • Per-branch counter. Next to each parent node a small annotation shows "X / Y selected" so you can tell at a glance how much of a section is covered without expanding it.
  • Expand all rights / Collapse all rights. A single toggle in the top-right corner expands or collapses every parent at once. Useful when you want to scan the whole tree, or when you want to collapse it again after a search.
  • Search box. A filter at the top of the tree, with placeholder "Search right (e.g. 'adjust user')". Type any part of a permission's name; the tree narrows to matches in real time.

Granting and revoking rights

  1. Tick the leaf permissions you want to grant. The "X / Y selected" counter on each parent updates as you go.
  2. Click Save in the action bar. A success toast confirms the save; an error toast surfaces if anything fails.

The save replaces the group's full permission selection in one call — there is no "apply per item". This means you can freely tick and untick before saving, and only the final selected set matters.

How permissions combine across groups

Permissions are additive across all the groups a user belongs to. If a user is in three groups and any one of them grants View training, the user has View training. Removing a permission from one group does not revoke it if another of the user's groups still grants it.

The Restrict access settings (the fourth tab) are layered on top of this combined permission set: they can hide individual records, but they cannot grant a permission the user does not already have through some group. See Restrict access for groups: populations and hierarchy.


Frequently asked questions

Why don't I see one of the tabs? You need Administer general security and View groups to see the group page at all. Edit actions on the Detail and Permissions tabs additionally need Update group; the Users tab additionally needs Add user to group and Delete user from group for the respective actions.

I added a permission but the user still cannot do the action. Why? Two common causes. First, some menu items and access checks are computed at login, so the user may need to log out and back in for the new right to take full effect. Second, another group the user belongs to may have Restrict access enabled and be hiding the records they expect to see — see the access-control article for how restrictions combine.

What is the difference between a Security group and a Queue group? A Security group is a classification: it marks the group as one that exists to grant rights, and several admin screens filter on this flag. A Queue group is functional: it tells the system to treat the group as a work queue, which is what makes routing features (like training assignment to a team) and the Limit access on the owner setting behave the way they do. The two flags are independent — set the ones that match the group's purpose.

If I remove a user from a group, do they lose the rights immediately? Yes, on their next request. Permission lookups are not cached across requests. However, things that are computed at login (for example menu visibility) only refresh after the next login.

Can I copy permissions from one group to another? Not directly from this screen. The Permissions tab edits a single group's selection. To duplicate a setup, open both groups side by side and replicate the ticks, or create the new group with the same name pattern so it is clear they share intent.