Group Management
Groups are how you give people access to apps in ShiftControl. Every app assignment, every permission, and every access decision flows through groups.
Overview
Instead of assigning apps to individual users one at a time, you assign apps to groups — then manage who belongs to each group. When someone joins a group, they immediately gain access to every app assigned to it. When they leave, that access is revoked.
This is the approach that scales. A new developer doesn't need five separate app assignments. They need to be added to the Engineering group, and everything else follows.
What You See
The groups table shows:
| Column | What It Tells You |
|---|---|
| Group | Name and description |
| Group Tag | Color-coded category (Department, Team, Location, Role Access, Distribution) |
| Directory | Which directories the group is synced to |
| Group Stats | Number of users and apps associated with the group |
Use the filters at the top to narrow by directory or tag. The sidebar shows group counts by tag category — click any category to filter.
Common Scenarios
Department-based app access — Create an "Accounting" group with a dynamic rule matching users whose Department equals "Accounting." Assign QuickBooks, Expensify, and NetSuite to the group. Every accountant gets access automatically — including new hires the moment their profile is set up.
Role-based cloud access — Create groups like "AWS Production" and "AWS Staging" tagged as Role Access. Assign the appropriate AWS SSO app to each. Engineers who need production access join the production group. Everyone else gets staging only.
Location-based distribution lists — Create "All Singapore Users" with a dynamic rule matching Location equals "Singapore." Enable Google Sync to automatically create a Google Workspace distribution list. Now anyone can email the entire Singapore office at one address.
Group Tags
Tags categorize your groups so you can understand their purpose at a glance, filter the list, and apply appropriate settings. ShiftControl provides predefined tag categories that cover common group purposes:
| Tag | Purpose | Example |
|---|---|---|
| Department | Official departments and teams | Accounting, Engineering, Marketing |
| Location | Groups by office, site, or region | Singapore Office, London HQ |
| Team | Cross-functional or project-based teams | Platform Team, Q4 Launch |
| Role Access | Groups mapped to system roles or permissions | AWS Production Access, GitHub Admin |
| Distribution | General purpose email distribution lists | All Hands, Newsletter |
| Catch-all | Addresses like hello@, contact@, legal@, security@ | contact@ |
| Support | Groups for internal requests | it-support@, hr@ |
| Alerts | Groups for system or vendor notifications | PagerDuty Alerts, AWS Alerts |
| Service Account | Groups tied to automated service accounts | CI/CD Pipeline, Monitoring |
| Shared Account | Shared login accounts used by multiple users | Social Media Account, Demo Account |
| Custom | Org-defined groups for anything else | — |
You can change a group's tag from the group edit page, the context menu, or in bulk by selecting multiple groups.
You can create additional custom tags with your own names and colors in Group Tags Settings. Each tag belongs to one of the predefined categories above.
Google Workspace Group Templates
Group Actions
Click the ⋮ menu on any group row:
- Change tag — Reassign the group's category tag (Department, Team, Location, etc.)
- Apply template — Apply a predefined group configuration template
- Edit — Open the group for editing (requires CanUpdateGroups permission)
- Import to JumpCloud — Import a Google-only group into JumpCloud (shown only when the group exists in Google but not JumpCloud)
- Delete — Remove the group and revoke all its app access (requires CanDeleteGroups permission)
Bulk actions: Select multiple groups and choose Delete to remove them in bulk.
Things to Know
- Group changes take effect immediately. Adding or removing a user from a group updates their app access right away. No delays, no manual propagation.
- Deleting a group revokes access. Every user in that group loses access to its assigned apps. Always review app assignments before deleting.
- Users can belong to multiple groups. A user's total app access is the combined set of all apps from every group they're in.
- Groups sync to your connected directories. Changes are pushed via API in real time, so group membership propagates to any directory-integrated systems.
Related Features
- Adding a Group — Create new groups and configure membership rules
- Editing a Group — Configure dynamic, nested, and individual membership
- Adding a Group — Google Sync — Sync membership to Google Workspace