=====================
Authorization groups
=====================


Authorization groups, also called simply groups, are used to grant
permissions to user accounts.

Users in any space with the view group permission can see all groups and
group members in their space and its descendants, but only users with
modification permissions in the root space can add, update, or delete
groups. Users in child spaces cannot add, update, or delete groups, even
if they have those permissions.

|image4|

The above image demonstrates how permissions are assigned to users based
on their group memberships. Permissions in black text are granted to the
group; permissions in grey text are not granted to the group. The
permissions shown are a small sample of the actual available
permissions.

A user only in the View group gets only the "view bond" and "view agg"
permissions, while a user in the Bond admin group and the View group
gets "view bond," "add bond,", "change bond," "delete bond," and "view
agg" permissions. If a user was only a member of the Bond admin group,
he or she would not get the "view agg" permission. A user in the
Administrator group gets all permissions, so would not need to be added
to the View group to be able to see bonds and aggs.

Permissions cannot be assigned directly to users. If a single user
requires a unique set of permissions, a group must be created with the
appropriate permissions and then the user assigned to that group.

SD-WAN includes a number of `default
groups <default-groups.html>`__ that can be used to quickly
assign relevant permissions to users. These default groups can be
deleted and replaced with custom groups.

Authorization groups are are the same for all spaces. Only users with
appropriate permissions in the root space can add, change, or delete
groups or change group permissions, but users with appropriate
permissions in any space can add users to or remove users from groups.

Listing groups
---------------

To view the list of groups, click the gear icon in the navigation menu,
then click Groups.

|image0|

The list of groups is shown. Click a group name to see details about the
group.

Adding a group
---------------

To add a group, browse to the list page, then click the "Add group"
button. This opens the form for creating a group. Complete the form on
the Group tab and click "Save". When creating a new group, only the main
tab is shown. After saving the group, the other tabs are shown.

Viewing or updating a group
----------------------------

To view or update a group, navigate to the list page and click the name
of the group or the |image1| button beside its name. This opens the
group page with these tabs:

-  Group: name and membership details
-  Permissions: a matrix of permissions given to users in the group

You cannot make any changes to a group (name, membership, or
permissions) that has a permission that you don't have. For example, a
user only in the default "User admin" group, which has permission to
update groups, cannot make changes to the Administrator group, because
the Administrator group has a number of permissions that a user only in
the "User admin" group does not have.

Group fields
-------------

Name
+++++

The name of the group.

Members
++++++++

The members control is not available when adding a new group. To manage
group members, first save the new group, and then the members control
will become available.

To add a user to the group, click his or her email address in the
"Available users" list and then click the |image2| button to add the
user to the "Chosen users" list. To remove a user, click his or her
email in the "Chosen users" list, then click the |image3| button to
remove the user from the list. Then click Save.

Permissions
++++++++++++

Shown on the permissions tab, individual permissions appear as a matrix
of resources and view/add/change/delete/other permissions. For example,
the bond resource has five separate permissions for each action that can
be taken on a bond. To assign a permission to a group, ensure the
appropriate box is checked.

Deleting a group
-----------------

To delete a group, navigate to its page and click the Delete button.
A confirmation dialog will prompt you to confirm before the group is deleted.


.. |image0| image:: /attachments/11667091/11667629.png
.. |image1| image:: /attachments/11667020/11667643.png
.. |image2| image:: /attachments/11667091/11667663.png
.. |image3| image:: /attachments/11667091/11667664.png
.. |image4| image:: /attachments/11667091/11667340.png
