Groups & automatic provisioning
Groups let you give sets of external or internal users access to their own folder — supplier companies, departments, branches — with the folder, permissions and memberships created automatically when you invite people.
What are groups and group types?
A group is a set of users who share access to the same folder — for example the supplier company "Supplier One" or the "Finance" department. Group types (such as "Suppliers" or "Departments") organize related groups together.
Groups are managed in Admin → Groups, where administrators create group types and groups, and add or remove members. Only administrators can define who belongs to a group.
Renaming a group also renames its folder. Deleting a group never deletes its folder or its documents — the files stay exactly where they are.
Set up automatic provisioning
Provisioning is configured once, on a custom role. From then on, every new group of the chosen type gets its own restricted folder automatically.
- 1Go to Admin → Groups and create a group type (for example "Suppliers").
- 2Go to Admin → Custom roles, open (or create) the role your external users will have, and find the "Automatic provisioning" section.
- 3Choose the group type, the target project, the parent folder, and the permission the group will get on its own folder (Edit by default).
- 4Add access rules for the role on the shared folders — for example View on the parent folder and Download on a policies folder.
Invite a user with a role and a group
Invitations, roles and groups work together in a single step.
- 1Go to Admin → Invitations and enter the person's email address.
- 2Pick a custom role. If the role has a provisioning template, a group selector appears.
- 3Choose an existing group, or create a new one by simply typing its name.
- 4Send the invitation.
Example: a supplier portal
Imagine you exchange documents with dozens of supplier companies. Create a restricted project, a "Policies" folder with a Download rule for the Supplier role, and a parent folder "Suppliers" with a View rule for the same role. On the Supplier role, configure a provisioning template pointing at the "Suppliers" folder.
Each supplier company becomes a group. When you invite a contact at "Supplier One" with the Supplier role and their group, they can read your policies (without changing them), upload documents only inside their own "Supplier One" folder — and they never see the folders of other suppliers.
Because the group defines what each person sees, adding a second contact from the same company is just another invitation to the same group.
Example: expenses by department
The same pattern works internally. Create a group type "Departments" and a role "Expense submitter" with a provisioning template pointing at a shared "Expenses" parent folder.
Each department — Finance, Sales, Operations — is a group with its own folder. Employees upload receipts to their department's folder, management can review everything, and no department sees another department's expenses.
Manage groups
Everything happens in Admin → Groups.
Rename a group and its folder is renamed to match. Add or remove members at any time — access follows membership immediately.
When a relationship ends, delete the group: its members lose the group's access, but the folder and every document inside it are preserved.
Group permissions
Access rules can target groups, in addition to users and roles: open the lock on any project, folder or document and use the "Groups" tab.
Permissions are hierarchical: View < Download < Edit < Full — each level includes the previous ones. Edit allows uploading and editing documents but not deleting them; only Full allows deletion.
Folders created by provisioning are restricted from the start: only the group (and administrators) can see them.