> ## Documentation Index > Fetch the complete documentation index at: https://knowledge.goautonomous.io/llms.txt > Use this file to discover all available pages before exploring further. # Overview > Create user groups to define what your team members can access — products, areas, inboxes, intents, and admin pages. ## Overview User groups are how you control access in Go Autonomous. A group bundles together a set of permissions — which products users can use, which areas they can see, which inboxes and intents they can work with, and which administrative pages they can reach. You then assign users to groups, and they inherit everything that group allows. Find groups under **Administration → Access Control → User Groups**. ## The Access Control Manager group Every Go Autonomous environment includes one protected system group: **Access Control Manager**. Members of this group have full access to manage the Access Control area itself — adding and removing users, creating and editing user groups, and configuring SCIM. The group cannot be deleted, and its permissions cannot be edited (a shield icon marks it on the User Groups page). You can still add and remove members from it. This is the only system-protected group in the long-term setup. All other groups in your environment are fully editable. ## Create a user group The Create New User Group dialog opens. Templates pre-fill permissions across every tab, so you only need to adjust what's different. | Template | Pre-configured access | | ---------------------- | ------------------------------------------------------------------- | | Everyday User | Full Flow and Workstation access in the default area | | Platform Administrator | Full access to all products and user management in the default area | | IT Administrator | Edit access to integration pages only (Connectors, Authenticators) | | Super User | Everyday user access plus user management capabilities | | Custom | No pre-configured permissions — start from a blank slate | Templates are only available when creating a new group, not when editing or copying. Work through the tabs to define what this group can do. Each tab is described below. Click **Create Group**. The group appears as a new card on the User Groups page. ## The group configuration tabs ### Basic Info The group's name (required and unique) and an optional description. **Auto-assign new users** — toggle this on to automatically add every newly created user to this group on their first login. Use it for the baseline access you want every team member to have (for example, default Flow viewer rights). The flag has no effect on users provisioned through SCIM — those memberships are still controlled by your identity provider. You can mark more than one group as auto-assign — a new user will be added to all of them. ### Members Pick the users that belong to this group. Open the **Members** combobox to search by name or email and select one or more users. The count next to the field reflects the current selection. System users are filtered out automatically. You can leave this step empty and add members later from the [User Management](/knowledge-base/administration/access-control/user-management) page. ### SCIM/SSO External Group ID mapping and sync settings. Use this tab when you want this group's membership to sync automatically from your identity provider. ### Spaces Define the access scope for this group: * **Mode** — choose between **Area** (filter mails by geographic area) or **Inbox** (filter by inbox assignment). * **Areas** — select specific areas, or use **Default (All Areas)** for full access. * **Inboxes** — select specific inboxes; with no selection, the group has access to all inboxes. Public and private inboxes are distinguished with icons. * **Intents** — choose allowed intents from the hierarchical Category → Subcategory → Intent tree. When Inbox mode is selected, available intents may be limited based on inbox restrictions. ### Products Toggle each product on or off and configure access levels: | Product | Configuration | | ----------- | ------------------------------------------------------------------------------------------ | | Flow | Master toggle + In-area access (Viewer / Editor) + Out-of-area access (No Access / Viewer) | | Workstation | Master toggle + Visibility (Assigned Only / All Mails) | | Pulse | Master toggle + Access Level (Viewer / Editor) | | Axon | Master toggle + Access Level (Viewer / Editor) | If Pulse or Axon is enabled without a level selected, you'll see a validation error before you can save. ### Administration access The administration areas of the platform are controlled together with simple **Editor** or **No Access** levels for now. Granular per-page controls are on the way. | Area | Access levels | | ---------------- | ----------------- | | Company Settings | No Access, Editor | | Access Control | No Access, Editor | | Audit Trail | No Access, Editor | ## Group card stats Each group card on the User Groups page shows a quick summary of how much access the group has — members, inboxes, areas, and intents. The wording reflects how the group is scoped: * **`X inboxes`, `X areas`, `X intents`** — the group is scoped to a specific set. * **`Any inbox`, `Any area`, `Any intent`** — the group is unrestricted for that dimension (no specific selection — full access). * **`No inboxes`, `No areas`, `No intents`** — the group has no access to that dimension. Use these counts to spot misconfigured groups at a glance — for example, an "Editor" group that unexpectedly shows **No areas**. ## Copy a group Use copy to quickly create a variant of an existing group. Click the **Copy** icon on any group card. The dialog opens pre-populated with the source group's settings: * The name is auto-suffixed with **(Copy)** and must be changed to something unique. * SCIM/SSO settings are reset — the External Group ID is cleared and sync is disabled. * No members are copied — the new group starts empty. ## Edit a group Click any group card to open the details sheet, then click **Edit** to make changes. Members of [protected groups](#protected-groups) can be managed but the group's settings cannot be changed. ## Delete a group To delete a group, open the group's menu and select **Delete**. To confirm, you must type the group name exactly. If the group has members, you'll be prompted to migrate them to another group before the deletion completes — this prevents users from being orphaned without permissions. If the group is synced via SCIM/SSO, you'll see a warning that you'll need to remove or reassign the group mapping in your identity provider configuration after deletion. ## Protected groups The **Access Control Manager** group is protected. Members of this group are granted full access to everything in the Access Control area — they can add and remove users, create and edit other user groups, and configure SCIM. The group itself can't be edited or deleted, though members can still be added to and removed from it. A shield icon marks protected groups on the card and the details sheet. For the full breakdown of what each access level means in each product, see [Permission levels by product](/knowledge-base/administration/access-control/permission-levels). ## Group details sheet Clicking a group card opens a details sheet with everything about the group: * Name, description, and Copy/Edit buttons * SCIM/SAML sync badge if applicable * Created date, created by, last synced timestamp, and external ID * Up to 4 member avatars with names; if there are more, a "View all X members" link opens the Users page filtered to that group * Space access (either Inbox Assignments or Area Access) * Intent access list * Product access summary * User access privileges (categorised by level) * Page access (categorised as Full Access, Area Only Editing, or View Access) ## What's next * [User Management](/knowledge-base/administration/access-control/user-management) for adding users to your groups.