Skip to main content

​
Overview

Groups are the structural backbone of Aptly. They define organizational hierarchies and scope for Decisions, Delegations, and Matrices. Groups typically mirror enterprise structures such as Organizations, Departments, Locations, or other custom units. They can be provisioned automatically via Directory Sync (SCIM) or through HRIS integrations (e.g., Workday, SAP, Oracle). Mapping between source system attributes and Aptly group types is fully configurable, ensuring accurate alignment with enterprise structures.

​
🏒 Group Types

Aptly supports the following group types:
  • Organizations β€” always enabled
  • Departments β€” toggle
  • Locations β€” toggle
  • Custom Group Types β€” optional (e.g., Projects, Teams, Cost Centers)
Admins enable or disable group types in System Settings β†’ Group Types.
Mappings from SCIM/HRIS (e.g., Company β†’ Organization, Department β†’ Department) are configurable per tenant.

​
🧩 Hierarchies

Groups support hierarchical nesting:
  • Parent–child: A group may have one parent and multiple children.
  • Multi-parent: Some group types (except Organizations) may belong to more than one parent.
  • Explicit assignment: Child groups do not automatically inherit from parents; each relationship must be defined or mapped.

​
Example

Global Enterprise Group Hierarchy
  • Aptly Global Holdings (Organization)
    • North America (Org)
      • New York HQ (Location)
      • San Francisco Office (Location)
      • Finance (Department)
    • Europe (Org)
      • London HQ (Location)
      • Paris Office (Location)
      • Legal (Department)
    • Asia-Pacific (Org)
      • Singapore HQ (Location)
      • Sydney Office (Location)
      • Operations (Department)
⚠️ Group fidelity is critical: mapping from HRIS/Directory must preserve parent/child relationships (e.g., Department under Location, Location under Organization). Misconfigured mapping may cause incorrect scope or access.

​
πŸ” Groups & Permissions

Groups determine scope for role permissions such as approve_delegations or view_decisions.
  • Tenant-wide roles ignore group boundaries.
  • Group-scoped roles restrict actions to resources assigned to that group.
  • Inheritance:
    • A user assigned to a parent group can act on delegations scoped to its child groups.
    • Example: A user assigned to Europe (Org) can be eligible for delegations scoped to London HQ or Paris Office.

​
βš™οΈ Sync & Integration Behavior

  • Directory Sync (SCIM)
    Groups are automatically created and maintained from directory attributes (e.g., Company, Department, Location).
  • HRIS Integrations
    Groups may also sync directly from HR systems (e.g., Workday, SAP SuccessFactors, BambooHR).
  • Configurable Mapping
    Admins can configure which source attributes map to Aptly group types. For example:
    • Company β†’ Organization
    • Region β†’ Custom Group Type
    • Department β†’ Department

​
Sync Rules

  • SCIM/HRIS-managed groups cannot be manually deleted in Aptly; they must be updated at the source.
  • Manually added groups can coexist with synced groups and are clearly marked in the UI.
  • During sync, Aptly preserves manual group memberships alongside synced assignments (no overwrites).

​
🚦 Disable vs Delete

  • Disable (Keep Associations): Hides the group type from new records but keeps historical links.
  • Disable (Remove Associations): Breaks links with existing records going forward; historical associations remain in logs.
  • Delete: Allowed only if a group has no associated users, decisions, or delegations.

​
πŸ”Ž Where Groups Are Used

Groups are applied across modules:
  • Decisions β€” define scope of authority.
  • Delegations β€” restrict issuer/recipient eligibility.
  • Matrices β€” filter and display decision/authority data by group.
  • Roles & Permissions β€” limit access based on group-scoped roles.
Groups provide the foundation for scoping and governance in Aptly.
For configuration, see System Settings β†’ Group Types.
For user-specific group assignments, see User Profiles.