Limiting access by group is only available with Enterprise-level products.
You can limit which groups users in your system can access. Limiting a user’s access to a particular group means that user can only view users belonging to that group and its sub-groups, and their data.
Or, it means they can only view and manage projects belonging to that group.
Access is limited by role. For example, if you limit access for a user’s Administrator role to your New York location, administrators will only be able to view data for users who are assigned to your New York location when carrying out administrator duties.
If a user is assigned multiple roles, you can define different levels of access for each role. For example, the administrator who can view only New York employees when carrying out administrator duties could be allowed to manage payroll for users in all locations.
Currently, you can only limit access by group for the Administrator, Payroll Manager, Project Management, and Schedule Manager roles.
There are a few reasons why you might want to limit a user’s access:
To limit what group a user can access:
A Roles & Permissions table displays. In the Access section, a field appears for each type of group defined in your system, for each supported role that’s been assigned to the user.
If the group is a hierarchy and you choose a parent group, the user will have access to all children under that parent, even if the check boxes aren't checked.
The 'or' in this case mean both selected combinations apply, not one or the other. For a user to be accessible to the administrator, they must belong to all the groups defined in one of the rows. In the example above, to be accessible to the administrator, the employee must belong to HR and be located in Calgary or Toronto, OR they must belong to Finance.
Now the user will only have access to users assigned to the group combinations you selected, including any sub-groups, for the role in question.
If a user has access to the New York location and the Marketing division, they will be able to access data for users who are in New York AND Marketing. Users who are in New York but are in another division will not be accessible. The same applies for users who are in Marketing but are in a different location.
If you assign a user role without restricting access or assign a role that doesn't offer access filtering, the user will be able to see all data normally available for that role.
For example, if you limit a user’s access for the Administrator role to your Sydney location only, that user will only see staff from the Sydney office on the Administration > Employees and Organization > Users page.
However, if that user is also assigned the Supervisor role, they’ll be able to see all their direct reports from all offices, not just Sydney, in reports and on pages that supervisors can access, such as the Team pages.
Users can be assigned to a group in their user profile. That means they are a member of that group. The groups they belong to have no impact on the groups they have access to. For example, even if a user belongs to the Sydney group, they will only have access to all the users in the Sydney group if Sydney is selected in the Access drop-down.
You can currently only limit access by membership in the customizable group types – location, cost center, service center, or division.
If you need to limit access by department or employee type, rename one of the customizable group types and use it as a department or employee type filter.
Refer to Setting up groups for information on that.