UserGroupRole
Assigns roles to entire groups, enabling efficient permission management at scale by granting the same role to all group members simultaneously. This entity implements group-level role assignments where every member of a group automatically receives specific roles. For example, assigning the 'Financial Analyst' role to the 'Finance Department' group means all finance team members inherit that role without individual assignments. This dramatically simplifies administration - when someone joins the finance team, they automatically get all finance-related roles. The entity supports conditional assignments where roles might only apply during certain hours or from specific locations. It handles role inheritance through group hierarchies - if 'Company' group has 'Basic Employee' role, all subgroups inherit it. The system tracks who assigned roles to groups and why, maintaining accountability for bulk permission changes. Temporary role assignments are supported for project groups that need elevated permissions for limited periods. The entity also manages precedence when users belong to multiple groups with conflicting roles, using priority levels to resolve conflicts. This is essential for large organizations where managing individual role assignments would be impractical, and for ensuring consistent permissions across teams.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| assignmentId | uuid | stored | Unique identifier for this group-role assignment | Required |
| group | UserGroup | stored | The group receiving this role | Required |
| role | Role | stored | The role being assigned to the group | Required |
| assignedBy | User | stored | Administrator who made this assignment | Optional |
| assignedAt | DateTime | stored | When the role was assigned to the group | Required |
| assignmentReason | string | stored | Explanation for this role assignment Example: | Optional |
| effectiveFrom | DateTime | stored | When this role becomes active for group members | Required |
| effectiveUntil | DateTime | stored | When this role expires for the group | Optional |
| scope | string | stored | Context where this role applies Example: | Optional |
| applyToExisting | boolean | stored | Whether to apply to current members immediately | Optional |
| applyToNew | boolean | stored | Whether new members automatically get this role | Optional |
| removeOnLeave | boolean | stored | Whether to remove role when member leaves group | Optional |
| priority | integer | stored | Resolution order for conflicting assignments | Optional |
| conditions | string | stored | JSON conditions for when role applies Example: | Optional |
| exceptions | string | stored | JSON array of user IDs excluded from this assignment | Optional |
| inheritToSubgroups | boolean | stored | Whether child groups inherit this role | Optional |
| requiresActivation | boolean | stored | Whether members must activate this role individually | Optional |
| requiresMfa | boolean | stored | Whether 2FA is required for this role in group context | Optional |
| approvalRequired | boolean | stored | Whether individual approval is needed per member | Optional |
| approvalConfig | string | stored | JSON configuration for approval workflow | Optional |
| isActive | boolean | stored | Whether this assignment is currently active | Optional |
| suspendedAt | DateTime | stored | When this assignment was suspended | Optional |
| suspendedReason | string | stored | Why the assignment was suspended | Optional |
| revokedAt | DateTime | stored | When this assignment was revoked | Optional |
| revokedBy | User | stored | Who revoked this assignment | Optional |
| affectedUserCount | integer | stored | Number of users affected by this assignment | Optional |
| metadata | object | stored | Additional assignment configuration | Optional |
Examples
Example 1
{
"@type": "UserGroupRole",
"assignmentId": "gra_eng_deploy",
"assignedBy": "admin_cto",
"assignedAt": "2024-01-15T10:00:00Z",
"assignmentReason": "All backend engineers need deployment access to staging and production",
"effectiveFrom": "2024-01-15T10:00:00Z",
"effectiveUntil": null,
"scope": "environment:all",
"applyToExisting": true,
"applyToNew": true,
"removeOnLeave": true,
"priority": 50,
"conditions": "{\"environments\":[\"staging\",\"production\"],\"approval_required_for\":\"production\"}",
"inheritToSubgroups": true,
"requiresActivation": false,
"requiresMfa": true,
"approvalRequired": false,
"isActive": true,
"affectedUserCount": 25,
"metadata": {
"deployment_limits": {
"staging": "unlimited",
"production": "5_per_day"
}
}
}Example 2
{
"@type": "UserGroupRole",
"assignmentId": "gra_project_temp",
"assignedBy": "manager_projects",
"assignedAt": "2024-03-01T09:00:00Z",
"assignmentReason": "Q2 project team needs elevated data access for migration project",
"effectiveFrom": "2024-03-01T09:00:00Z",
"effectiveUntil": "2024-06-30T23:59:59Z",
"scope": "project:data_migration_q2",
"applyToExisting": true,
"applyToNew": true,
"removeOnLeave": true,
"priority": 75,
"exceptions": "[\"user_intern_001\",\"user_contractor_002\"]",
"inheritToSubgroups": false,
"requiresActivation": true,
"requiresMfa": true,
"approvalRequired": true,
"approvalConfig": "{\"approvers\":[\"data_owner\",\"security_team\"],\"approval_sla_hours\":24}",
"isActive": true,
"affectedUserCount": 12,
"metadata": {
"project_code": "MIGR-2024-Q2",
"data_classification": "sensitive",
"audit_required": true
}
}