Context types (what a group is used for)
Every Authorization Group has a context type that determines its purpose within the platform:
| Type | Icon | Purpose |
|---|
| Role group | | Used for access routing and role assignment workflows. Determines which users receive a particular organizational role. |
| Security group | | Controls application permissions and access control policies. Used as the target of Permission Packages. |
| Mailing group | | Used as email distribution lists. Requires an associated email address and optional newsletter visibility settings. |
Population types (how members enter the group)
| Type | Description | Who manages it |
|---|
| Calculated | Members are determined automatically by rules evaluated on the nightly cron scheduler. | Rules engine (automatic) |
| Explicit | Members are added and removed manually by the group responsible or delegate. | Responsible / Delegate |
| Mix | Combines automatic calculated rules with manual member additions and overrides. | Both |
| Group of groups | Membership is inherited from one or more linked child groups via nightly sync. | Automatic (via child groups) |
User scope (which users can be members)
| Scope | Description |
|---|
| Internal | Only internal users (employees and collaborators registered in the main directory). |
| External | Only external users (accounts outside the main directory, typically used for mailing or partner access). |
| All | Both internal and external users. |
Global groups
Any group can additionally be marked as a Global group, making it visible and usable across all brands and tenants in the platform. Global group membership aggregates users from all brands. This setting is restricted to system administrators and should be used with caution.
