Permissions best practices

This topic offers advice and best practices for getting started with groups and permissions, removing the barrier between getting started and implementing your workflow like a pro.

Only give users the permissions they need

It might seem easy to give broad permissions to a group and give that group to all your users. It ensures that nobody gets blocked while they're working and it makes onboarding more simple. But in the long term, it makes work harder.

When everyone has access to every permission, it becomes harder to manage who is in charge of tasks, harder to track who is making specific changes, and harder to define roles. Instead, opt to give every user only the permissions they need and will use. Do not add them to groups with permissions they don't need.

Make more groups than you think you'll need

Groups determine the permissions for each user.

Tip: The easiest way to keep clear, controlled permissions is to make a group for each role or task in your organization.

Remember that you can assign a user to multiple groups, so if a user needs more access than a single group provides, simply add them to more than one. Give each group a small, focused purpose so that changes will always apply to all members of that group.

Give your groups meaningful names and descriptions

The best way to make sure that everyone only belongs to groups they need is to ensure that each group has a clear purpose.

The Group name and Description fields help everyone understand the purpose of each group and make it easy to review groups when new permissions are added.

Consider view-only groups

Most permissions have multiple levels of access, separating out the ability to view data from the ability to change it.

Tip: View-only groups can be valuable for training new hires or for new features.

Consider making lower-level, view-only groups and transitioning your team to edit permissions once they've gotten acclimated to those products and features.

Be cautious with the highest permissions

Some permissions, such as those with manage all in the name, give sweeping rights to users in that group.

CAUTION:
These permissions should only be given to trusted team members and should be assigned sparingly.

Remove users regularly

When a team member leaves, be sure to remove their user from the Users screen. This keeps your group membership clean, readable, and meaningful.

Use two-factor authentication

Two-factor authentication is one of the best tools you have to keep your access secure. The Two-factor authentication option on a group requires users to have two-factor authentication set up before they use the permissions granted by that group.

Note: It is strongly advised that you keep the Two-factor authentication option enabled at all times.

Be aware of connected permissions

Some permissions automatically grant you other permissions. For example, this most commonly happens with editing permissions, which also grant view permissions automatically. Be aware of which permissions you are granting by default when you add a new permission to a group.

Parent topic: Groups