Groups

Groups organize workspace members into logical teams for easier permission and data access management. Instead of managing access filters for each member individually, you create groups, assign access filters to groups, and add members to groups. All members of a group automatically inherit the group’s access filter assignments.

What Groups Do

Groups serve one primary purpose: they are the assignment target for access filters. When an access filter is assigned to a group, every member of that group has their queries automatically filtered by the access filter’s SQL condition.

Groups do not grant additional permissions. A member’s permissions are determined solely by their role. Groups control what data a member can see, while roles control what actions a member can perform.

Creating a Group

Via the UI

1. Navigate to Govern > RBAC > Groups
2. Click Create Group
3. Fill in the group details:

4. Click Create

Via the API

curl -X POST https://your-workspace.signalsmith.dev/api/v1/groups \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "EMEA Marketing Team",
    "description": "Members of the marketing team in EMEA region"
  }'

Response:

{
  "id": "grp_abc123",
  "name": "EMEA Marketing Team",
  "description": "Members of the marketing team in EMEA region",
  "member_count": 0,
  "subset_count": 0,
  "created_at": "2025-01-15T10:00:00Z"
}

Managing Group Members

Adding Members

Via the UI

1. Navigate to Govern > RBAC > Groups
2. Click on the group
3. In the Members tab, click Add Members
4. Select workspace members from the list (search by name or email)
5. Click Add

Via the API

curl -X POST https://your-workspace.signalsmith.dev/api/v1/groups/{group_id}/members \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "member_ids": ["mem_abc123", "mem_def456"]
  }'

Removing Members

Via the UI

1. Navigate to the group detail page
2. In the Members tab, find the member
3. Click Remove next to their name
4. Confirm the removal

Via the API

curl -X DELETE https://your-workspace.signalsmith.dev/api/v1/groups/{group_id}/members/{member_id} \
  -H "Authorization: Bearer $API_TOKEN"

Member Limitations

• A member can belong to multiple groups. Their effective data access is the combination of all access filters from all their groups.
• Adding or removing a member from a group takes effect immediately. Their next query will reflect the updated access filters.
• Only Owners and Admins (users with governance.manage permission) can modify group membership.

Assigning Access Filters to Groups

Access Filters provide the row-level filtering that groups enforce. See Access Filters for how to create access filters.

Via the UI

1. Navigate to the group detail page
2. In the Access Filters tab, click Add Access Filter
3. Select one or more access filters from the list (grouped by category)
4. Click Save

Via the API

curl -X PUT https://your-workspace.signalsmith.dev/api/v1/groups/{group_id} \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "subset_ids": ["sub_abc123", "sub_def456"]
  }'

How Multiple Access Filters Interact

When a group has multiple access filters:

• Access filters in the same category are combined with OR (the member sees data matching any of them)
• Access filters in different categories are combined with AND (the member sees data matching all categories)

See Access Filters for detailed examples.

Viewing Group Details

The group detail page shows:

Editing a Group

To update a group’s name or description:

1. Navigate to the group detail page
2. Click Edit in the header
3. Modify the name or description
4. Click Save

Changing a group’s name or description does not affect its members or access filter assignments.

Deleting a Group

To delete a group:

1. Navigate to the group detail page
2. Click Delete
3. Confirm the deletion

Deleting a group:

• Removes all members from the group (their workspace access is not affected)
• Removes all access filter assignments from the group
• Members who were in the group will no longer have those access filters applied to their queries

This action cannot be undone.

Common Group Patterns

API Reference

# List all groups
GET /api/v1/groups
 
# Get a single group
GET /api/v1/groups/{id}
 
# Create a group
POST /api/v1/groups
 
# Update a group
PUT /api/v1/groups/{id}
 
# Delete a group
DELETE /api/v1/groups/{id}
 
# Add members to a group
POST /api/v1/groups/{id}/members
 
# Remove a member from a group
DELETE /api/v1/groups/{id}/members/{member_id}
 
# List group members
GET /api/v1/groups/{id}/members

Best Practices

• Name groups by team and function — Use descriptive names like “EMEA Marketing” or “Partner Support - Acme” so membership is self-explanatory.
• Keep groups focused — Each group should represent a single access pattern. If members need different data access for different use cases, use separate groups.
• A member can belong to multiple groups — Use this to build composite access. For example, a member in both “EMEA Team” and “Marketing Team” sees EMEA marketing data.
• Review membership regularly — As team composition changes, update group membership to ensure data access stays current.
• Prefer groups over direct management — Even for a single member who needs a unique access filter, create a group. It makes the access model consistent and easier to audit.

Next Steps

• Create access filters to assign to your groups
• Manage workspace members
• Review the permission model to understand role-based access