Group Management

Groups are the middle tier in Thallus's 4-tier permission hierarchy. They let org admins apply agent access and data RBAC settings to subsets of users without configuring each person individually.

What groups control

Group

→

Agent access

Data RBAC

Groups sit between Organization and User Override in the permission cascade:

Tier	Scope
Platform	All orgs (superadmin)
Organization	All org members (org admin)
Group	Members of a specific group (org admin)
User Override	One specific user (org admin)

A group-level "allow" or "deny" overrides the organization setting but can itself be overridden by a user-level setting. See Agent Access Control and Data Access Control for full resolution details.

Creating groups

CREATE GROUP

Group name

Analytics Team

Description

Data analysts with access to reporting databases

Create Group

Group names must be unique within an organization
Description is optional but helps identify the group's purpose
Org admins create groups in their own org; superadmins can create in any org

Group membership

Each membership has one of two roles:

member admin

Role	What they can do
member	Inherits the group's permission settings
admin	Same as member, plus can view group members and audit logs scoped to the group

Rules: - Users must belong to the same organization as the group - A user can only have one membership per group (unique constraint on user + group) - Both roles receive the group's agent access and data RBAC settings identically

Managing members

ANALYTICS TEAM · 3 MEMBERS

Alice Johnson

admin

Bob Chen

member

Carol Davis

member

Org admins can: - Add members — select users from the same org and assign a role - Remove members — immediately revokes group-level permissions - Update role — switch between member and admin

Multi-group membership

Users can belong to multiple groups. When a user is in several groups, Thallus uses permissive resolution: any group "allow" wins, even if another group denies.

Group A	Group B	Result
allow	deny	allow
deny	inherit	deny
inherit	inherit	inherit (check org level)

This means adding a user to a group can only expand their access, never restrict it. To restrict a specific user, use a user-level override instead.

Deleting groups

Deleting a group: - Cascade deletes all memberships (users are not deleted, just removed from the group) - Removes all group-level agent access and data RBAC settings - Members revert to their organization-level permissions (or user overrides if set)

This is not reversible. Consider removing members first if you want to reassign them to a different group.

Agent Access Control — How the 4-tier hierarchy resolves agent permissions
Data Access Control — How data RBAC uses group settings
Agent Restrictions (Admin) — Configure agent access at each tier
Data RBAC (Admin) — Configure data access at each tier
User Management — Create and manage user accounts