> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/user-group-based-access-control.md).

# User group-based access control

{% tabs %}
{% tab title="Windows" %}
Remote Desktop Manager user group based access control allows the creation of a flexible, granular protection system. Flexibility comes at a price, and careful configuration becomes necessary when managing complex systems.

Here are the key points of the user group based access system:

* Security is inherited: child items and folders are covered by a parent folder’s security.
* Permissions can be overridden: a permission set on a sub folder will override the parent item’s permission.
* Permissions are granular: Multiple permissions can be set on entries at once.

#### Additional security layers

While the user group based access control is great to secure access to entries, many other features can be used to add more security layers. For more information, consult the following topics:

* [Security provider](https://docs.devolutions.net/rdm/commands/administration/security-providers/)
* [Vault](https://docs.devolutions.net/rdm/commands/administration/vaults-overview/)
* [Password policies](https://docs.devolutions.net/rdm/commands/file/templates/password-templates/)
* [Multifactor authentication](https://docs.devolutions.net/rdm/workspaces/multi-factor-authentication/)

### Scenarios

Because of the system's great flexibility, it becomes difficult to describe how to achieve the exact security system needed for every possible use case. For this reason, this topic covers the most popular systems currently in use by Devolutions' community members. These strategies can be mixed and matched of course.

See the following for more details:

* [Simplified security](https://docs.devolutions.net/rdm/user-groups-based-access-control/scenarios/simplified-security/)
* [Advanced security](https://docs.devolutions.net/rdm/user-groups-based-access-control/scenarios/advanced-security/)

### User groups configuration

User groups are mostly used to control user access for multiple users at once. Common user groups types can be:

* **Service desk**: Single point of contact to handle incidents, problems and questions from staff and customers. A service desk provides an interface for activities such as modification requests, software licences, configuration management, and more.
* **Help Desk**: Deparment or person that manages, coordinates and resolves support requests.
* **Consultants**: Usually read-only users employed externally on a temporary basis which can only use a specific subset of entries.

#### Create user groups

1. To create user groups, navigate to ***Administration*** – ***User groups***, then click ***Add user groups***.

![](https://cdnweb.devolutions.net/docs/RDMW4138_2024_3.png)

2. All settings can be left to default unless the user group contains only administrators. In this case, check the ***Administrator*** box when configuring the user group. Enter a ***Name*** for the user group, then click ***OK***.

![](https://cdnweb.devolutions.net/docs/RDMW4137_2024_3.png)

3. To assign users to the user group, click the ***Assign user to user group button***, then check the ***Is Member*** box of the respective user.

![](https://cdnweb.devolutions.net/docs/RDMW4144_2024_3.png)

### User configuration

It is also possible to change the default user template. To do so, navigate to ***Administration*** – ***System settings*** – ***User management*** – ***User template***. These settings control the default settings of a new user.

![](https://cdnweb.devolutions.net/docs/RDMW4139_2024_3.png)

#### Create users

To create users, navigate to ***Administration*** – ***Users***, then click ***Add user***. Enter a ***Login*** and ***Password*** for the user and select the ***User type***.

![](https://cdnweb.devolutions.net/docs/RDMW4140_2024_3.png)

A user can be assigned to multiple user groups at once by checking the ***Is member*** box of the respective user groups in the ***User groups*** section of the ***User management***.

![](https://cdnweb.devolutions.net/docs/RDMW4141_2024_3.png)

#### Administrators

***Administrators*** can do everything, regardless of the security. These users are usually the chief officers and senior management.

#### Restricted users

***Restricted users*** have limited access to resources. They usually have the ***Add*** and ***Edit*** rights only. These users can be mid or first level executives, such as service desk and help desk.

#### Users

***Users*** also have limited access to resources much like Restricted users. However, Users have by default the ***Add***, ***Edit*** and ***Delete*** rights and can perform these actions on all unsecured entries.

#### Read-only users

***Read-only users*** can only view and use resources, but cannot edit them. These users are usually external consultants.

#### Select the appropriate user type

When creating users, some key points must be taken into consideration:

* Should they be able to access any resource without restriction? Then they are meant to be ***Administrators***.
* Should they be able to add, edit, or delete entries? A ***User*** would have all of these. Alternatively, select specific rights with ***Restricted user***.
* Should they be able to see sensitive information, or import and export entries? If not, ***Read-only*** users are best used for those who should only have very limited access.

### Entry configuration

Access is granted or denied to users by setting permissions on entries or folders. ***Permissions*** can be given either to individual users or to user groups. It is recommended to grant permissions to user groups to control access for multiple users at once.

To set permissions on an entry, edit any entry, then navigate to the ***Permissions*** section. This can also be done when creating the entry.

![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6038.png)

Permissions that are set on folders apply to all child entries. It is considred a best practice to set all the permissions at the vault folder level to ***Disallowed***. As a result, all permissions of all entries are denied by default.

![](https://cdnweb.devolutions.net/docs/RDMW4143_2024_3.png)

Access is denied to users by expressly granting the access to other users. In other words, all users that are not on the list of a permission have their access denied.

For a user to have access to a sub folder, the user must have at least the view permission on all parent folders.

Consider the following structure:

![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6041.png)

There are three levels of folders: the vault, Telemark, and child items of Telemark.

Suppose that a user, such as a consultant, must have access to the Montreal folder only. The consultant must be granted the view permission on the Telemark folder as well. However, granting the view access to the Telemark folder gives to the consultant the permissions to view all child items of Telemark. To deny the view permissions for the consultant on specific child items, the view permissions of these items must be expressly set for other users.

![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6042.png)
{% endtab %}

{% tab title="macOS" %}
Remote Desktop Manager user group based access control allows the creation of a flexible, granular protection system. Flexibility comes at a price, and careful configuration becomes necessary when managing complex systems.

Here are the key points of the user group based access system:

* Security is inherited: child items and folders are covered by a parent folder’s security.
* Permissions can be overridden: a permission set on a sub folder will override the parent item’s permission.
* Permissions are granular: Multiple permissions can be set on entries at once.

#### Additional security layers

While the user group based access control is great to secure access to entries, many other features can be used to add more security layers. For more information, consult the following topics:

* [Security provider](https://docs.devolutions.net/rdm/commands/administration/security-providers/)
* [Vault](https://docs.devolutions.net/rdm/commands/administration/vaults-overview/)
* [Password policies](https://docs.devolutions.net/rdm/commands/file/templates/password-templates/)
* [Multifactor authentication](https://docs.devolutions.net/rdm/workspaces/multi-factor-authentication/)

### Scenarios

Because of the system's great flexibility, it becomes difficult to describe how to achieve the exact security system needed for every possible use case. For this reason, this topic covers the most popular systems currently in use by Devolutions' community members. These strategies can be mixed and matched of course.

See the following for more details:

* [Simplified security](https://docs.devolutions.net/rdm/user-groups-based-access-control/scenarios/simplified-security/)
* [Advanced security](https://docs.devolutions.net/rdm/user-groups-based-access-control/scenarios/advanced-security/)

### User groups configuration

User groups are mostly used to control user access for multiple users at once. Common user groups types can be:

* **Service desk**: Single point of contact to handle incidents, problems and questions from staff and customers. A service desk provides an interface for activities such as modification requests, software licences, configuration management, and more.
* **Help Desk**: Deparment or person that manages, coordinates and resolves support requests.
* **Consultants**: Usually read-only users employed externally on a temporary basis which can only use a specific subset of entries.

#### Create user groups

1. To create user groups, navigate to ***Administration*** – ***User groups***, then click ***Add user groups***.

![](https://cdnweb.devolutions.net/docs/RDMM4079_2025_1.png)

2. All settings can be left to default unless the user group contains only administrators. In this case, check the ***Administrator*** box when configuring the user group. Enter a ***Name*** for the user group, then click ***OK***.

![](https://cdnweb.devolutions.net/docs/RDMM4080_2025_1.png)

3. To assign users to the user group, click the ***Assign user to user group button***, then check the ***Is Member*** box of the respective user.

![](https://cdnweb.devolutions.net/docs/RDMM4084_2025_1.png)

### User configuration

It is also possible to change the default user template. To do so, navigate to ***Administration*** – ***System settings*** – ***User management*** – ***User template***. These settings control the default settings of a new user.

![](https://cdnweb.devolutions.net/docs/RDMM4082_2025_1.png)

#### Create users

To create users, navigate to ***Administration*** – ***Users***, then click ***Add user***. Enter a ***Login*** and ***Password*** for the user and select the ***User type***.

![](https://cdnweb.devolutions.net/docs/RDMM4083_2025_1.png)

A user can be assigned to multiple user groups at once by checking the ***Is member*** box of the respective user groups in the ***User groups*** section of the ***User management***.

![](https://cdnweb.devolutions.net/docs/RDMM4081_2025_1.png)

#### Administrators

***Administrators*** can do everything, regardless of the security. These users are usually the chief officers and senior management.

#### Restricted users

***Restricted users*** have limited access to resources. They usually have the ***Add*** and ***Edit*** rights only. These users can be mid or first level executives, such as service desk and help desk.

#### Users

***Users*** also have limited access to resources much like Restricted users. However, Users have by default the ***Add***, ***Edit*** and ***Delete*** rights and can perform these actions on all unsecured entries.

#### Read-only users

***Read-only users*** can only view and use resources, but cannot edit them. These users are usually external consultants.

#### Select the appropriate user type

When creating users, some key points must be taken into consideration:

* Should they be able to access any resource without restriction? Then they are meant to be ***Administrators***.
* Should they be able to add, edit, or delete entries? A ***User*** would have all of these. Alternatively, select specific rights with ***Restricted user***.
* Should they be able to see sensitive information, or import and export entries? If not, ***Read-only*** users are best used for those who should only have very limited access.

### Entry configuration

Access is granted or denied to users by setting permissions on entries or folders. ***Permissions*** can be given either to individual users or to user groups. It is recommended to grant permissions to user groups to control access for multiple users at once.

To set permissions on an entry, edit any entry, then navigate to the ***Permissions*** section. This can also be done when creating the entry.

![](https://cdnweb.devolutions.net/docs/RDMM4085_2025_1.png)

Permissions that are set on folders apply to all child entries. It is considred a best practice to set all the permissions at the vault folder level to ***Disallowed***. As a result, all permissions of all entries are denied by default.

![](https://cdnweb.devolutions.net/docs/RDMM4086_2025_1.png)

Access is denied to users by expressly granting the access to other users. In other words, all users that are not on the list of a permission have their access denied.

For a user to have access to a sub folder, the user must have at least the view permission on all parent folders.

Consider the following structure:

![](https://cdnweb.devolutions.net/docs/RDMM4088_2025_1.png)

There are three levels of folders: the vault, DVLS Windjammer (Telemark), and child items of DVLS Windjammer (Telemark).

Suppose that a user, such as a consultant, must have access to the Montreal folder only. The consultant must be granted the view permission on the DVLS Windjammer (Telemark) folder as well. However, granting the view access to the DVLS Windjammer (Telemark) folder gives to the consultant the permissions to view all its child items. To deny the view permissions for the consultant on specific child items, the view permissions of these items must be expressly set for other users.

![](https://cdnweb.devolutions.net/docs/RDMM4089_2025_1.png)
{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/rdm/user-group-based-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.