| Available for | Roles | Onboarding Admin |
| Packages | Lever and Lever for Enterprise. Requires Onboarding add-on |
The user group manages permission assignments for dashboard users in your organization. You can create a user group for each department, job function, region, franchisee, or any other dimension that fits your organizational hierarchy. Permissions are assigned at the group level. When a user is added to multiple groups, they receive the collective set of permissions from all the groups they belong to.
Best Practice
For complex use cases, we recommend keeping each user group specific to one entity. For example, you may create one user group to manage employee access for each region and another to manage employer access. This keeps the access rule readable and straightforward, reducing the risk of misconfiguration.
Create a User Group
Within Onboarding, select Settings.
Click Organization Settings.
Select User Groups.
On the User Groups page, click New User Group.
The Create a new user group page is displayed.
When creating a new group, first add a Name, then select the Users to join the group.
Next, configure the Access Rules.
For example, you may have an organization divided into multiple service regions. To limit access by service region, you would first create a custom attribute that represents the service region each employee belongs to. You can then create a user group to represent, for example, "US East Onboarding Admins". To limit all permissions assigned to this group to the "US East" service region, configure the group access rule as shown below.
Select all the Permissions that users in this group should receive.
For example, the screenshot below creates a user group that gives its users full access to manage employees in the "US East" service region (based on employee custom attributes).
When you have finished creating the user group, click Create User Group.
You will be redirected back to the User Groups page, where the new user group will be reflected in the list.
Mixing Permissions of Different Entities
You can create a user group with permissions for different entities. For example, you can assign both employee:view and employer:view permissions under the same group. It is important, however, that the access rule is configured with the following considerations (as shown in the screenshot below):
- The rule must have a top-level ANY condition.
- Each entity type (employee or employer) must have its own condition in the rule.
When visiting a record in the system (such as an employee), Onboarding applies the record's properties against the dashboard user's permissions and their associated access rule. Access is granted only when both of the following conditions are met:
- The user has the required permission, such as employee:read.
- The access rule associated with that permission is evaluated successfully as a whole against the record's properties. For example, if the access rule requires service_region to be "US East", access will be granted only to employees with that custom attribute.
For example, if you grant a job:view permission without a corresponding job-based condition in the access rule, the job permission will never grant access to any jobs. In summary, permissions determine the actions that a group of users is allowed to perform, whereas access rules determine the context or scope under which those actions can be performed.