Managing user groups

User groups help streamline the management of users who need the same set of permissions. A user group explicitly sets the organizational role for users, which determines the tasks they can perform within each organization. You can assign roles at a per-organization level or assign a single role across all organizations. Single sign-on settings can also be applied to groups through SSO group mappings.

What happens if there are conflicting permissions?

runZero will always grant the role with the highest permissions level. For example, let's say an account has a viewer role for all organizations, but they've been added to a user group that has a user role for all organizations. This user will now have user-level permissions for all organizations. If the user group expires, the user's role reverts back to their account-level role.

User groups can also have an optional expiration date, which sets time-bound access to organizations within runZero for specific users. When the expiration date elapses, the user reverts back to their account-level permissions. If no expiration date is set, the user group settings will be persistent.

Creating user groups

runZero administrators and super users can create user groups.

  1. Go to Your team > Groups and click Add Group.
  2. Enter a name for the user group.
  3. Choose the default role you’d like to assign to the group. This setting will establish the access level for every organization you have.
  4. Set the per-organization roles, if you need to provide different access levels to specific organizations.
  5. Set an expiration date for the user group, if you need to time-bound the permissions. When the expiration date elapses, the role for users part of the group will revert back to their user-level permissions. Otherwise, if you don’t specify an expiration date, the user group will be persistent.
  6. Go to the Add users tab and search for the users you want to add to the group. You can search by username or email.
  7. When you are done adding users, save the user group. The user group will be listed on the Groups page.

Adding users to user groups

To add users to multiple groups at the same time, you can use the Edit group membership button on the Users page. The Edit group membership window will list every user group each user is currently in. Making changes from the Edit group membership window will apply to all users you have selected. Only runZero administrators and super users can add users to user groups.

  1. Go to the Users page.
  2. Select the users you want to add to a group.
  3. Click the Edit group membership button.
  4. Choose the user groups you want to add the users to.
  5. Save your changes.

Setting an expiration date for a user group

runZero administrators and super users can set an expiration date for a user group.

  1. Go to Your team > Groups.
  2. Find the user group you want to assign an expiration date. Click the name to open the config page.
  3. Set an expiration date for the user group. After the expiration date, the user’s role will revert back to their account-level permissions.
  4. Save the user group. You’ll be able to see the user group’s expiration date from the Groups page.

Viewing users in a user group

  1. Go to Your team > Groups.
  2. Find the Users column in the User groups table, which shows the user count for the group.
  3. Click the user count to query and display the users assigned to the group.

Viewing user groups assigned to a user

  1. Go to Your team > Users.
  2. In the Groups column for each user is the number of groups that user is a member of.
  3. Click on a number to show the corresponding list of groups.

Removing users from a user group

runZero administrators and super users can remove users from a user group.

  1. Go to Your team > Groups.
  2. Find the user group you want to modify. Click the name to open the config page.
  3. Go to the Users tab.
  4. Remove the users you no longer want assigned to the group. Their permissions will revert back to their account-level ones.
  5. Save your changes.

Deleting user groups

runZero administrators and super users can delete user groups.

  1. Go to Your team > User groups.
  2. Select the user group you want to delete.
  3. Click the Delete button.
  4. Confirm you want to delete the user group.

Searching for users and user groups

When you are on Users page or Groups page, you can use the following keywords to search in the table:

Keyword Description Example
id User’s ID. id:123456789
name User’s name. name:john
expires_at Time or date the user group expires. expires_at:>2weeks
created_at Time or date the user group was created. created_at:>2weeks
updated_at Time or date the user group was last updated. updated_at:>1year
has_expiration Whether the group has an expiration date. has_expiration:true
created_by_id ID of user who created the user group. created_by_id:123456789
created_by_email Email of the user who created the user group. created_by_email:user@example.com
group_id The user group ID. group_id:123456789
group_name The user group’s name. group_name:group1

Group IDs can be found in the URL for the group config page https://console.runzero.com/groups/<groupid>/edit.

The group_id keyword is only available for the users table; for the groups table, use id.