Groups allows you to manage Amplitude user permissions at scale. With Groups, you can add multiple users to a Group and quickly assign them sets of permissions, allowing you to easily provision and manage your Amplitude organization.
For example, create Groups of users like "Marketing Team" or "Payments Team" and assign project permissions to them in bulk. This allows you to control different groupings of users rather than managing each individual user's permissions.
- This feature is only available to Enterprise customers with this feature enabled.
- Only Admins in the organization can edit Groups.
- It is recommended to be familiar with our user permissions model.
Table of contents
- Groups Overview
- Create a Group
- View and Manage Group Access
- Assign Groups when Inviting New Users
- Things to Consider when Assigning User Permissions
- Example Scenarios
Create a Group
Under Settings, navigate to the Team Members section. Under Team Members, there will be a Users tab and a Groups tab.
Click "New Group" in the upper right corner and follow these steps:
- Name your group and add an optional description.
- Select optional Team Spaces. When a user is added to the group, they are automatically added to the selected Team Spaces as well. Note: existing members of the Team Space will not be automatically added to this Group.
- Assign Project access permissions. You can select any number of projects and roles.
Note: If a user is granted access to a project individually or via another Group, Amplitude will take the highest level permission. For example, if a user has "No Access" or a "Member" role for Project A via this Group but "Manager" access to Project B via another Group or via individual assignment, the user will be a manager of the Group. Please see below for more Example Scenarios.
Next, add any number of users to the new Group. This step is optional if you are not yet ready to add users to the Group. You can always assign users to the Group at a later time.
Finally, review your selections and Create Group.
To modify a Group's permissions or assign/unassign users from the Group, navigate back to Team Members > Groups and click on the Group name.
To delete a Group(s), select them on the Groups tab and then click the Delete option above the table.
View and Manage Group Access
Under the Users tab in the Team Members section, you can easily view and manage what Groups users are assigned to. Select the users to manage access for and choose 'Manage Group Access' in the menu. You can then select Groups to assign users to as well as assign/deassign users to Groups at an individual level.
Select Users to Manage Group Access:
Change Group assignments:
Review Group access changes:
Assign Groups when Inviting New Users
When inviting new users to your organization, you can assign them to a Group and/or assign individual project permissions during the 'Assign Access' step.
Things to Consider when Assigning User Permissions
User Permissions can be assigned via Groups or individually via User Management. It is recommended that Admins decide on a method for assigning user permissions, whether it is one method over the other or a hybrid of the two. Below we list some points to take into consideration to help decide which method is best suited for your organization.
Organize permissions and scale easily.
Integrate with other permissions models in the future.
Harder to manage individual overrides to user permissions. Requires creating a new Group for exceptions.
Customized permissions for each user.
Difficult to manage at larger scales.
Difficult to keep organized.
Benefits of both methods - organization and scale along with individually assigned permissions for one-off cases.
Difficult to know which assignment is the source of truth.
If your organization utilizes 3rd party identity and access management softwares (eg. Okta, GSuite, SailPoint, etc), you will be able to integrate these with Amplitude in the future. In this case, it is recommended that you set up Groups within Amplitude that align with the company structure and standard sets of permissions/roles in your organization. Access management integrations will only be able to be managed via Groups.
When a user is assigned multiple permissions via Groups or individually, the highest permission level will be given to the user.
Example A: Steve is assigned to a Group that provides Member permissions to a project.
- You can individually upgrade Steve to a higher role such as Manager via User Management
- If you later decide you’d like Steve to be a Member again, you can individually downgrade her to the Member level.
- This is possible because the Member role is level with or higher than the Group settings
Example B: Sheila is a Manager of a project based on Group membership
- You cannot individually downgrade her to a Member or Viewer via User Management
If a user is removed from a Group, then permissions granted via the group will be revoked. If a user has selected project permissions via User Management, those permissions will remain intact.
Example C: Marco is individually assigned Viewer permissions for Project A. He is also granted Manager permissions for Project A and Project B via Groups.
- Marco is a Manager of Project A and Project B because this is the highest level of permission granted to Marco.
- If I remove Marco from the Group, he will only be a Viewer for Project A.
- If I later add Marco back to the Group, he again gets the union of all the user-specified and Group-specified permissions - in this case, he will become a Manager for Project A and Project B again.
Example D: Tyra does not have any individually assigned project permissions but is assigned to a Group that grants Member permissions for Project A.
- If Tyra is removed from the Group, she will no longer have access to any content in the organization.