Skip to main content

Access Groups

The Access Groups page manages reusable collections of users that can be assigned to Access Control rules. Instead of selecting individual users on each rule, you can add users to a group and reference that group across multiple rules.

Overview

Access Groups enable:

  • Centralized Membership: Add or remove a user from one group to update all rules that reference it
  • Simplified Rule Management: Assign a group to multiple access control rules instead of duplicating user lists
  • Organizational Structure: Group users by team, department, or access level

Viewing Access Groups

The main grid displays all configured access groups with the following columns:

  • ID - Unique group identifier
  • Name - Internal group name
  • Label - Human-readable display name
  • Description - Group description
  • Users - Group members (comma-separated usernames)
  • Enabled - Whether the group is active

Grid Actions

  • Add - Create a new access group
  • Edit - Modify an existing group
  • Delete - Remove a group
  • Reload - Refresh the grid data

Creating an Access Group

To create a new group:

  1. Click Add in the grid toolbar
  2. Configure the group (see below)
  3. Click Save Access Group

Group Configuration

Group Details

Name

  • Internal identifier (lowercase_with_underscores)
  • Examples: maintenance_staff, family_members, night_shift
  • Auto-formatted on change

Label

  • Human-readable display name
  • Examples: "Maintenance Staff", "Family Members"
  • Defaults to name if not set

Description

  • Describes the group's purpose
  • Examples: "Building maintenance team with after-hours access"

Status

  • Toggle to enable/disable the group
  • Disabled groups are ignored when evaluating access control rules — their members are not authorized through this group

Members

Select Users

  • Multi-select list of users to include in the group
  • A user can belong to multiple groups
  • Changes take effect immediately — the next access attempt will use the updated membership

Usage in Access Control Rules

Access groups are selected in the Access Groups section of an access control rule editor. When a credential is presented:

  1. GEM checks if the user is in the rule's individual authorized user list
  2. GEM also checks each access group assigned to the rule
  3. If the user is a member of any enabled group on the rule, access is granted (subject to schedule and cooldown)
tip

Access groups and individual user selection are additive — a user authorized by either method is granted access.

Common Use Cases

Team-Based Access

Group: engineering_team
Members: alice, bob, charlie
Used in rules: server_room, lab_entrance, office_main

Removing charlie from the group revokes access to all three doors at once.

Tiered Access Levels

Group: residents (all entry points, all hours)
Group: service_staff (service entrance only, weekdays)
Group: guests (guest entrance only, limited hours)

Temporary Contractors

  1. Create group: contractor_q2
  2. Add contractor user accounts
  3. Assign group to relevant access rules
  4. Disable or delete the group when the contract ends
  • Access Control - Configuring access rules that use groups
  • Users - Managing user accounts and credentials