> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/web-interface/user-group-based-security.md).

# User-group based security

Devolutions Server user groups based security allows to create a granular protection system that is quite flexible. However, flexibility comes at a price and sometimes making the wrong choices could increase the time involved in managing the system.

The following recommendations are based on our experience with the system and the ideas shared by our community. Follow these guidelines, as they will help you to use the Devolutions Server user groups based security efficiently.

Here are the main key points of the user groups based security:

* Security is inherited: child items and folders are covered by a parent folder’s security.
* Permissions can be overridden: a permission set on a sub folder will override the parent item’s permission.
* Permissions are granular: multiple permissions can be set on entries at once.

### User groups configuration <a href="#user-groups-configuration" id="user-groups-configuration"></a>

When using Devolutions Server user groups based security, user groups are mostly used to control user access for multiple users at once.

#### Create the user groups <a href="#create-the-user-groups" id="create-the-user-groups"></a>

To create user groups, navigate to ***Administration*** – ***User groups***, then click ***Add***.

![](https://cdnweb.devolutions.net/docs/DVLS6026_2025_3.png)

All settings can be left to default unless the user group contains only administrators. In this case, check the ***Is administrator*** box when configuring the user group. Enter a name and a description for the user group, then click ***OK***. For Active Directory groups, the domain must be provided like the following.

![](https://cdnweb.devolutions.net/docs/DVLS6027_2025_3.png)

To assign users to the user group, click ***Assign users to user group***. With a user group created from an Active Directory group, there is no need to assign users as it is automatically managed by Devolutions Server.

![](https://cdnweb.devolutions.net/docs/DVLS6028_2025_3.png)

### User configuration

#### User template <a href="#user-template" id="user-template"></a>

It is possible to change the default user template. To do so, navigate to ***Administration*** – ***System settings*** – ***User template***. These settings control the default settings of a new user. The best practice is to disable all privileges.

#### Create the user <a href="#create-the-user" id="create-the-user"></a>

To create users, navigate to ***Administration*** – ***Users***, then click ***Add user***. Enter the information and click ***Add*** to save.

![](https://cdnweb.devolutions.net/docs/DVLS4166_2025_1.png)

A user can be assigned to multiple user groups at once by clicking ***Edit*** – ***User groups*** or ***More*** – ***Assign user groups***. As part of the Active Directory integration, there is no need to assign users to those user groups as it is automatically managed by Devolutions Server.

![](https://cdnweb.devolutions.net/docs/DVLS6046_2024_1.png)

Select the ***user groups*** you want to assign to the user and click ***Update***.

![](https://cdnweb.devolutions.net/docs/DVLS6047_2024_1.png)

#### Administrators <a href="#administrators" id="administrators"></a>

Administrators can do everything, regardless of the security. These users are usually the chief officers and senior management.

#### Users <a href="#users" id="users"></a>

Users have limited access to resources. However, they have by default the ***Add***, ***Edit***, and ***Delete*** rights and can perform these actions on all unsecured entries.

#### Contractors <a href="#contractors" id="contractors"></a>

***Contractor*** users have customizable access to resources, automatically expire at a set date, must provide an email address, and are required to enter a password upon login. This user type comes in handy for managing external Devolutions Server users.

Although contractor user have access to [PAM capabilities](https://docs.devolutions.net/pam/server/), they are restricted to ***Read-only*** mode.

{% hint style="info" %}
Requires enabling authentication with Contractor users in the Administration section of [Devolutions Server](https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/general/authentication/) or [Devolutions Cloud](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/).
{% endhint %}

#### Select the appropriate user type <a href="#select-the-appropriate-user-type" id="select-the-appropriate-user-type"></a>

When creating users, some key points must be taken into consideration. Ask yourself the following questions while configuring a new user:

* Should they be able to access any resource without restriction?
  * ***Administrators*** can access any resource without restriction.
  * Select ***Administrator*** as the ***User type*** when creating the user.

![](https://cdnweb.devolutions.net/docs/DVLS4167_2025_1.png)

* Should they have limited administrative rights but the ability to add, edit, delete, add in root, and move entries?
  * If so, select ***User*** as the ***User type*** when creating the user. Users have all those rights by default.

### Entry configuration

Access is granted or denied to users by setting permission on entries. Permissions can be set to users or user groups. The best practice is to grant permissions to user groups to control access for multiple users at once.

To set permissions on an entry, edit any entry, enable ***Advanced***, then navigate to the ***Security*** – ***Permissions*** section.

![](https://cdnweb.devolutions.net/docs/DVLS6053_2024_1.png)

Permissions are usually set on folders, and apply to all child entries. A best practice is to set all the permissions of the vault folder to ***Disallowed***. As a result, all permissions of all entries are denied by default.

Access is denied to users by expressly granting the access to other users. In other words, all users that are not on the list of a permission have the access denied.

For a user to have access to a sub folder, the user must have at least the View permission on all parent folders.

Consider the following structure:

![](https://cdnweb.devolutions.net/docs/docs_en_server_clip8044.png)

There are three levels of folders: the vault, Telemark, and child items of Telemark.

Suppose that a user, such as a consultant, must have access to the Montreal folder only. The consultant must be granted the View permission on the Telemark folder as well. However, granting the View access to the Telemark folder gives to the consultant the permissions to view all child items of Telemark. To deny the View permissions for the consultant on specific child items, the View permissions of these items must be expressly set for other users.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/server/web-interface/user-group-based-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.