Permissions best practices
This topic offers advice and best practices for getting started with groups and permissions, removing the barrier between getting started and implementing your workflow like a pro.
Only give users the permissions they need
It might seem easy to give broad permissions to a group and give that group to all your users. It ensures that nobody gets blocked while they're working and it makes onboarding more simple. But in the long term, it makes work harder.
When everyone has access to every permission, it becomes harder to manage who is in charge of tasks, harder to track who is making specific changes, and harder to define roles. Instead, opt to give every user only the permissions they need and will use. Do not add them to groups with permissions they don't need.
Make more groups than you think you'll need
Groups determine the permissions for each user.
Remember that you can assign a user to multiple groups, so if a user needs more access than a single group provides, simply add them to more than one. Give each group a small, focused purpose so that changes will always apply to all members of that group.
Give your groups meaningful names and descriptions
The best way to make sure that everyone only belongs to groups they need is to ensure that each group has a clear purpose.
The Group name and Description fields help everyone understand the purpose of each group and make it easy to review groups when new permissions are added.
Consider view-only groups
Most permissions have multiple levels of access, separating out the ability to view data from the ability to change it.
Consider making lower-level, view-only groups and transitioning your team to edit permissions once they've gotten acclimated to those products and features.
Be cautious with the highest permissions
Some permissions, such as those with manage all in the name, give sweeping rights to users in that group.
Remove users regularly
When a team member leaves, be sure to remove their user from the Users screen. This keeps your group membership clean, readable, and meaningful.
Use two-factor authentication
Two-factor authentication is one of the best tools you have to keep your access secure. The Two-factor authentication option on a group requires users to have two-factor authentication set up before they use the permissions granted by that group.
Be aware of connected permissions
Some permissions automatically grant you other permissions. For example, this most commonly happens with editing permissions, which also grant view permissions automatically. Be aware of which permissions you are granting by default when you add a new permission to a group.