Manage permissions at scale with permission groups
With permission groups, you can assign permissions to multiple users in a single step based on group membership. Permission groups streamline provisioning and management for your Amplitude organization.
For example, you might create groups like "Marketing Team" or "Payments Team," add users to them, and assign project permissions to each group instead of each team member. All users assigned to a group receive that group's permissions. You can assign users to multiple groups. To change a specific group member's permission level, remove them from the group.
Amplitude grants the highest level of permissions assigned to a user. When you assign a user to a group, they inherit its project permissions. If a user has their own set of project permissions, their new set of permissions are a combination of the two, with projects taking on the highest role.
Before you begin
- Only Admins in the organization can edit groups.
- You can manage permission groups through the User Management API (a SCIM API).
- Review Amplitude's user permissions model before proceeding.
Permission groups are different from team spaces. Permission groups control project-level access across the organization (Admin-only feature), while team spaces are collaborative workspaces that Members, Managers, and Admins can all create and manage.
Create a group
To create a new group:
Navigate to Settings > Organization settings. Then click Members & Groups.
From the Groups tab, click + New Group. The Create New Group pane opens.
In the General tab, name your group and add a description, if you want.
If you want, select from the Team Spaces drop-down any team spaces you want to automatically add group members to. Amplitude doesn't automatically add existing members of the selected Team Spaces to this group.
Select the appropriate group type from the drop-down.
Click + Add Project and select the projects this group can access. You can add any number of projects to the group.
For each project, select the appropriate project role. All group members have the permission level that's attached to that project role.
If a group member already has access to a project individually or through another group, Amplitude applies the highest permission level they have. For example, if a user has a "Member" role for a project through Group A and belongs to Group B that grants "Manager" access to the project, the user has manager access to this project. Review more example scenarios.
- Open the Members tab and click + Add Members. Select the users you want to add from the drop-down. You can skip this step if you aren't ready to add members.
- Click Save to finish creating your group.
Edit a group
You can modify the group's permission levels, add or remove group members, change the group type or associated team spaces, or add projects to a group at any time.
To remove a member from the group, navigate to the Members tab and check the box next to the member's name. Then click Remove.
To modify the group's permission level for a specific project, navigate to the General tab and check the box next to the project's name. Click the Edit Project Role dropdown and select the appropriate project role for the group, or click Remove Project Access to prevent access to the project from members of this group.
Assign groups when inviting new users
When inviting new users to your organization, you can assign them to a group, assign individual project permissions, or both during the Assign Access step.
Things to consider when assigning user permissions
You can assign user permissions through groups or individually through User Management. Admins should decide whether to use groups, individual assignment, or a hybrid of both methods. The following table helps you choose the best method for your organization.
| Method | Pros | Cons |
|---|---|---|
| Groups | Organize permissions and scale. Integrate with other permissions models in the future. | Harder to manage individual overrides to user permissions. Requires creating a new group for exceptions. |
| User Management | Customized permissions for each user. | Difficult to manage at larger scales. Difficult to keep organized. |
| Hybrid | Benefits of both methods: organization and scale, along with individually assigned permissions for one-off cases. | Difficult to know which assignment is the source of truth. |
If your organization uses third-party identity and access management software, such as Okta, Google Workspace, or SailPoint, you can integrate these tools with Amplitude in the future. Consider setting up groups within Amplitude that align with your company structure and standard permissions and roles. Access management integrations can only manage access through groups.
Example scenarios
When a user has multiple permission levels for a single project through group membership or individual assignment, the user receives the highest permission level available to them.
Example A: You assign Oleg to a group that provides Member permissions to a project.
- You can individually upgrade Oleg to a higher role through User Management.
- If you later decide to reassign Oleg to the lower-level Member role, you can individually downgrade Oleg to that permission level.
If you assign permissions to a user through User Management, those permissions can't be removed, downgraded, or limited through a group's permission levels. Conversely, if you assign permissions to a user through membership in a group, those permissions can't be removed, downgraded, or limited through User Management.
Example B: Akiko is a Manager of a project through membership in a group with Manager-level permissions.
- You can't individually downgrade Akiko to a Member or Viewer through User Management.
If you remove a user from a group, Amplitude revokes the permissions granted through the group. If a user also has project permissions through User Management, those permissions remain intact.
Example C: You individually assign Marco Viewer permissions for Project A. Marco also receives Manager permissions for Project A and Project B through group membership.
- Marco is a Manager of Project A and Project B, because Manager is the highest permission level Marco has.
- If you remove Marco from the group, he's only a Viewer for Project A.
- If you add Marco back to the group later, he recovers the union of all the user-specified and group-specified permissions—in this case, he becomes a Manager for Project A and Project B again.
If you don't assign any permissions to a user individually or through group membership, that user can't view any content within your Amplitude organization.
Example D: Tyra doesn't have any individually assigned project permissions but belongs to a group that grants Member permissions for Project A.
- If you remove Tyra from the group, she no longer has access to any content in the organization.
Was this helpful?