← Overview

Permissions best practices

It can be difficult to make your first few groups. With so many permissions available, it’s easy to get overwhelmed. That’s why we offer some advice and best practices for getting started, removing the barriers between getting started and implementing your workflow like a pro.

Only give users the permissions they need

It’s easy in the short term to give broad permissions to a group and give that group to all of your users. It ensures that nobody gets blocked while they’re working and it makes onboarding more simple. But in the long term, it makes life harder. When everyone has access to every permission, it becomes harder to manage who is in charge of tasks, harder to track who is making specific changes, and harder to define roles. Instead, opt to give every user only the permissions they need and will use. Do not add them to groups with permissions they don’t.

Make more groups than you think you need

Groups are at the heart of permissions, as they determine the permissions for each user. The easiest way to keep clear, granular controls is to make a group for each role or task in your organization. Remember that you can assign a user to multiple groups, so if a user needs more access than a single group provides, simply add them to more than one. Give each group a small, focused purpose so that changes will always apply to all members of that group.

Give your groups meaningful names and descriptions

The best way to make sure everyone only belongs to groups they need is to make sure each group has a clear purpose. The name and description fields will help to make sure everyone in your organization knows the purpose of each group, and will make it easy to review groups when new permissions are added.

Consider read-only groups

Most permissions have multiple levels of access, separating out the ability to view data from the ability to change it. Read-only groups can be valuable for training new hires or new features. Consider making these lower-level groups and transitioning your team to edit permissions once they’ve gotten acclimated to those products and features.

Be judicious with the keys to the castle

Some permissions, such as those with “manage all” in the name, give sweeping rights to users in that group. These should only be handed out to trusted team members, and should be assigned sparingly.

Remove users regularly

When a team member leaves, be sure to remove their user from the Users screen. This will keep your group membership clean, readable, and meaningful.

Two-factor authentication is best

Two-factor authentication is one of the best tools you have to keep your access secure. The Two-factor authentication option on a group will require users to have two-factor authentication set up before they use the permissions granted by that group. It is strongly advised that you keep the option enabled at all times.

Note: Enabling two-factor authentication requires the Manage security settings permission. This permission also controls the ability to manage each item on the Security page of any user’s profile except initiating a password reset link.

Some permissions are connected

Some permissions automatically grant you other permissions. This most commonly happens with editing permissions, which grant view permissions automatically. Be aware of what permissions you are granting by default when you add a new permission to a group.