Groups & automatic provisioning

Groups let you give sets of external or internal users access to their own folder — supplier companies, departments, branches — with the folder, permissions and memberships created automatically when you invite people.

What are groups and group types?

A group is a set of users who share access to the same folder — for example the supplier company "Supplier One" or the "Finance" department. Group types (such as "Suppliers" or "Departments") organize related groups together.

Groups are managed in Admin → Groups, where administrators create group types and groups, and add or remove members. Only administrators can define who belongs to a group.

Renaming a group also renames its folder. Deleting a group never deletes its folder or its documents — the files stay exactly where they are.

Set up automatic provisioning

Provisioning is configured once, on a custom role. From then on, every new group of the chosen type gets its own restricted folder automatically.

  1. 1Go to Admin → Groups and create a group type (for example "Suppliers").
  2. 2Go to Admin → Custom roles, open (or create) the role your external users will have, and find the "Automatic provisioning" section.
  3. 3Choose the group type, the target project, the parent folder, and the permission the group will get on its own folder (Edit by default).
  4. 4Add access rules for the role on the shared folders — for example View on the parent folder and Download on a policies folder.
💡 From now on, whenever a group of that type is created, its restricted folder appears automatically inside the parent folder, with the group's permission already applied.

Invite a user with a role and a group

Invitations, roles and groups work together in a single step.

  1. 1Go to Admin → Invitations and enter the person's email address.
  2. 2Pick a custom role. If the role has a provisioning template, a group selector appears.
  3. 3Choose an existing group, or create a new one by simply typing its name.
  4. 4Send the invitation.
💡 When the person accepts, everything is set up automatically: they join the workspace and the project, receive the role, become a member of the group, and the group's folder already exists. No manual configuration needed.

Example: a supplier portal

Imagine you exchange documents with dozens of supplier companies. Create a restricted project, a "Policies" folder with a Download rule for the Supplier role, and a parent folder "Suppliers" with a View rule for the same role. On the Supplier role, configure a provisioning template pointing at the "Suppliers" folder.

Each supplier company becomes a group. When you invite a contact at "Supplier One" with the Supplier role and their group, they can read your policies (without changing them), upload documents only inside their own "Supplier One" folder — and they never see the folders of other suppliers.

Because the group defines what each person sees, adding a second contact from the same company is just another invitation to the same group.

Example: expenses by department

The same pattern works internally. Create a group type "Departments" and a role "Expense submitter" with a provisioning template pointing at a shared "Expenses" parent folder.

Each department — Finance, Sales, Operations — is a group with its own folder. Employees upload receipts to their department's folder, management can review everything, and no department sees another department's expenses.

Manage groups

Everything happens in Admin → Groups.

Rename a group and its folder is renamed to match. Add or remove members at any time — access follows membership immediately.

When a relationship ends, delete the group: its members lose the group's access, but the folder and every document inside it are preserved.

Group permissions

Access rules can target groups, in addition to users and roles: open the lock on any project, folder or document and use the "Groups" tab.

Permissions are hierarchical: View < Download < Edit < Full — each level includes the previous ones. Edit allows uploading and editing documents but not deleting them; only Full allows deletion.

Folders created by provisioning are restricted from the start: only the group (and administrators) can see them.