Skip to main content
Admin › Users › Groups
Groups bundle users for unified permission management. Design groups by department, role, project, etc., to match your organization.

Why Groups?

Per-userPer-group
Set permissions per user individuallySet once on the group, applies to everyone
Edit one by one when changingEdit only the group setting
Becomes complex as users growScales systematically

Creating a Group

1

Select the Groups tab

Pick the Groups tab in user management.
2

Create a new group

Click the + icon (tooltip: “Create group”).
3

Enter group info

Enter group name (e.g., “Marketing Team”) and description.
4

Add members

Search for users in the Members tab and add to the group.
5

Connect to Organizational Unit (optional)

In the Organization Assignment area, link this group to a specific organizational unit. All users in the linked OU automatically get the group’s permissions — useful for applying the same permission set to an entire department.
Linking the “Marketing Team” group to “Company / Marketing Division” OU automatically grants permission to new employees as IdP sync adds them to Marketing Division.

Group Permission Settings

Configure detailed permissions per group. All permissions are split into 4 levels.
Group permission settings

Permission Levels

LevelDescription
NoneCannot access the feature
AccessView list (no detail access)
ReadView list + view details
WriteView + create/edit/delete
PermissionNoneAccessReadWrite
AgentsNo accessList onlyView detailCreate/edit
Knowledge BaseNo accessList onlyView detailCreate/edit
PromptsNo accessList onlyView detailCreate/edit
ToolsNo accessList onlyView detailCreate/edit
DatabaseNo accessList onlyView detailCreate/edit
GlossaryNo accessList onlyView detailCreate/edit
GuardrailsNo accessList onlyView detailCreate/edit
Flow accessNo accessList onlyView detailCreate/edit
You can delegate parts of admin features to regular users.
PermissionNoneAccessReadWrite
User managementNo accessView user listView detailCreate/edit/delete
Settings accessNo accessView settings listView setting valuesChange settings
EvaluationsNo accessView evaluation listView detailChange settings
MonitoringNo accessView monitoringView detail
Sharing permissions (ON/OFF):
  • Share agents, KBs, prompts, tools, databases, glossaries
Chat permissions (ON/OFF):
  • File upload, chat deletion, message editing, chat controls
  • Voice input (STT), voice output (TTS), voice calls
  • Multi-model concurrent use, temporary chat
Feature permissions (ON/OFF):
  • Direct tool server connection, web search, image generation, code execution

Default Permissions

Set default permissions applied to users not in any group. Click Default Permissions at the top of the Groups tab.
Default permissions are the initial permissions for users not in any group. Per least-privilege principle, set defaults restrictively and grant additional permissions through groups as needed.

Group ↔ Organizational Unit Mapping

In the Organizations tab of the group edit modal, you can map this group to one or more organizational units (OUs). All members of mapped OUs automatically inherit the group’s permissions, so when IdP sync adds a new employee to an OU, permissions apply without any manual action.
FieldDescription
Tab locationGroup edit modal → General / Permissions / Organizations / Users
SelectionMulti-select checkboxes. Search box filters OUs by name, display name, or description
Mutual exclusivityEach OU can be assigned to only one group. OUs already claimed by another group are automatically excluded from the list
Displayed infoOU display name + internal name, member count, Assigned badge for OUs already attached to the current group
Save behaviorOn group save, persisted to group.meta.org_unit_ids
OUs themselves are imported via IdP sync (Entra/Google Workspace OIDC) or created manually under Admin > Organizations. See Organization Management for OU creation and sync.
Mapping the “Marketing” group to the “Company / Marketing” OU means that the moment IdP adds a new hire to the Marketing OU, they receive the group’s permission set automatically — eliminating the operational overhead of adding/removing users from groups one by one.

User Management

User list, roles, add/edit, usage limits

Organizations

Organization/OU hierarchy, Entra ID sync, organization-based access control

Inquiries

Receive and handle user inquiries