Users and Groups visibility

Since the release of Catalyst version 1.10.0., we have restricted visibility of users. This is done via the List permission and is directly linked with User Group Permission Sets.

Now you can manage precise user and group visibility across your entire platform through an intelligent permission system that adapts to your organisation's needs. You can ensure that the right users have access to the right information, helping you maintain both operational efficiency and strict compliance with privacy standards.

What are List permissions?

List permissions are essential for controlling who can see and select users and groups across the system. They are the foundation of user and group visibility across the platform. Without the appropriate permissions, users will not appear in selection fields, preventing unauthorised or unnecessary access to specific individuals or groups.

The one exception to this rule is that where a user type field has been configured with say 10 users and 2 groups, these will all be available for selection in that field by any user who has permission to create or edit records where that field is provided irrespective of whether they have permission to view those users. And certain details of the user(s) selected in that field can be viewed ie Name and Email address.

How are List permissions granted?

Permissions for viewing and listing users and groups are closely connected: when you have permission to view users or user groups, you automatically gain list permissions for those users and groups as well.

Important: being able to view a user group also enables you to list all members within that group, allowing for seamless selection and interaction wherever user or group visibility is required in the system.

List permissions can be granted through several mechanisms:

1. User Group Permission Sets

Each user group has predefined permission sets - Owners, Members, and Everyone - that determine who can view and interact with the group.

• Owners: the group owners have full permissions - view, edit, and delete - over the group. Importantly, these permissions cannot be modified for group owners. Owners will have full visibility into the group and can manage it completely.
• Members: this permission set applies to all members of the group. By default, "view" permission is set to true, meaning group members can see the group as a whole and list its other members in contexts like task assignments, default task assignees selection, or permission sets.
• Everyone: this set applies to all other users in the system who are not part of the group. By default, no permissions are granted, meaning that users outside the group cannot list any of the group's members. This is crucial in industries like finance, where only authorised users should have access to specific groups, such as compliance officers or risk management teams.
• Custom Permission Sets: Custom Permission Sets can be created to provide more granular control over which users or departments can view specific groups or users. For instance, a legal department might need visibility into compliance groups, while HR can be restricted from viewing sensitive case-related groups**.**

2. API (for Config Admins)

Config Admins can be granted the users.list permission exclusively through the API by a dedicated role. This role enables them to list and view all users across the system, even if those users are not part of their assigned groups. For large companies, this API-based permission ensures that trusted administrators can manage user visibility on a global scale, while regular users remain restricted to their specific groups.

3. Super Admins

These types of users have full list permissions throughout the platform, including full user account details. This ensures that system-wide administrators maintain comprehensive oversight and manage users and permissions effectively.

Visibility for One-Time Completion (1TC) Accounts

Users with One-Time Completion (1TC) accounts are crucial for specific workflows but cannot be assigned to any group. However, they need to remain visible for task assignments, filtering, and user-type fields. Therefore, visibility of 1TC users is automatically granted to:

• Super Admins: a given as part of their global visibility.
• Config Admins with the appropriate users.list permission via API.

This ensures seamless management of temporary or task-specific users while maintaining strict control over visibility.

Where do list permissions matter?

List permissions enable users to see and choose group members or groups in any part of the system where user and user group selection is available, such as:

• Task ownership and assignment
• Object Class and Record ownership
• Permission Sets (both Object Class and Record)
• User-Type Class fields
• Default task assignees in Sequences
• User Group management and Permission Sets
• Dropdown autocompletes and filters

Users will always have permission to list themselves. This ensures that every user can select themselves when needed, such as assigning themselves to a task, regardless of group or system permissions.

By tying view and list permissions together, we've made it easier to enforce security protocols while maintaining the flexibility needed for complex workflows.

Useful info

1. The user who creates a user group automatically becomes its Owner and a member of the group.
2. The maximum number of User groups you can have in your system is 1,000.

Autologyx Classification: Unrestricted, Public