Skip to main content

Group Management

Groups are the core of access management in ShiftControl. Every app assignment, every permission, and every access decision flows through groups.

Overview

Groups are how you give people access to apps in ShiftControl. Instead of assigning apps to individual users one at a time, you assign apps to groups and then manage who belongs to each group. When a user joins a group, they immediately gain access to every app assigned to that group. When they leave, that access is revoked.

The Group Management page is your central hub for viewing and organizing all groups across your organization.

Group management

How It Works

The groups list displays a table with the following information for each group:

  • Group: The group name and description.
  • Group Tag: A color-coded label that categorizes the group (Role Access, Team, Location, Department, Distribution, or No tag).
  • Directory: Which directory the group belongs to.
  • Google Sync: An icon indicating whether the group syncs to Google Workspace.
  • Group Stats: Counts of users and apps associated with the group.

Use the filters at the top of the page to narrow the list by directory or tag. The search bar lets you find specific groups by name.

Common Scenarios

Department-based app access -- Create a group like "Accounting" with a dynamic rule that matches users whose Department attribute equals "Accounting." Assign finance apps (QuickBooks, Expensify, NetSuite) to the group. Every accountant gets access automatically, and new hires in the department are added the moment their profile is set up.

Role-based access for cloud infrastructure -- Create groups like "AWS Production Access" and "AWS Staging Access" tagged as Role Access. Assign the appropriate AWS SSO app to each group. Engineers who need production access are added to the production group; everyone else only gets staging.

Location-based distribution lists -- Create groups like "All Singapore Users" or "All America Users" with dynamic rules matching the Location attribute. Enable Google Sync to automatically create Google Workspace distribution lists, so you can email an entire office with one address.

Viewing and Filtering Groups

Search and Filter

Use the search bar to find groups by name. The filter dropdowns let you narrow the list:

  • All directories: Filter by the directory a group belongs to.
  • All tags: Filter by group tag to see only groups of a specific category.

Quick View

Click on any group row to open a quick view sidebar that shows an immediate snapshot of the group without navigating away from the list. The quick view shows:

  • Which users are assigned to the group.
  • How each user was added (dynamic rule, nested group, or individual assignment).
Quick view of group membership

Group Tags

Group tags categorize your groups so you can understand their purpose at a glance. Tags are color-coded and appear next to each group name in the list.

The default tag categories are:

  • Department -- Groups organized by business unit (Accounting, Engineering, Marketing).
  • Team -- Groups for cross-functional or project teams.
  • Location -- Groups based on office or region.
  • Role Access -- Groups that control access to specific tools or environments.
  • Distribution -- Groups used primarily for email distribution via Google Sync.
  • No tag -- Groups that have not been categorized yet.

Filtering by Tag

Click the tag filter dropdown on the Group Management page to show only groups with a specific tag. This is particularly useful during access reviews or audits when you need to verify all groups of a certain type.

Changing a Group Tag

You can change a group's tag in three ways:

  1. From the group edit page: Change the tag in the Group Tag dropdown on the General tab.
  2. From the context menu: Right-click or use the dropdown menu on a group row and select Change tag.
  3. In bulk: Select multiple groups using the checkboxes, then use the Change tag option from the bulk actions menu.
Edit a group tag
info

The set of available tags for your organization is managed in Organization Settings. You can add, rename, or remove tag definitions there.

Things to Know

  • Groups are pushed to JumpCloud immediately. ShiftControl groups are pushed to your JumpCloud directory via API in real time, so group membership changes propagate to any JumpCloud-integrated systems.
  • Deleting a group revokes access. When you delete a group, every user in that group loses access to the apps assigned to it. Review the group's app assignments before deleting.
  • Users can belong to multiple groups. A user's total app access is the combined set of all apps from every group they belong to.
  • Group changes take effect immediately. When you add or remove a user from a group, their app access updates right away.