TABLE OF CONTENTS
- Introduction
- What are User Groups?
- When to use User Groups
- What a User Group controls
- How User Groups work
- User Groups with SSO
- How to create a User Group
- Assigning users to a User Group
- Best practices
- Troubleshooting
- Related articles
Introduction
User Groups allow System Administrators to manage access permissions for multiple users at once. Instead of configuring each user individually, administrators can create a reusable access profile and assign users to it. This helps keep access consistent, reduces manual work, and makes it easier to manage users who share the same role, division, hierarchy scope, or segment restrictions.
User Groups are especially useful when access is managed through SSO, because CustomerGauge can match incoming SSO attributes to a CustomerGauge User Group.
What are User Groups?
A User Group is a set of access permissions that can be applied to users.
A User Group can define:
- The user’s Role
- The user’s Division or Hierarchy access
- The user’s Segment restrictions
Each user can be assigned to one User Group at a time.
Once a user is assigned to a User Group, the group provides the access settings for that user. This makes it easier to manage users who should have the same access profile.
Example User Groups:
- Global Admins
- Europe Managers
- Netherlands Users
- Enterprise Account Team
- Product A Reporting Users
When to use User Groups
Use User Groups when:
- Multiple users need the same access settings.
- You want to manage user permissions more consistently.
- You want to reduce manual user-by-user setup.
- Your organization uses SSO and sends group information from your Identity Provider.
- You need to control both feature access and data access from one place.
User Groups are useful for both small teams and large organizations, but they are especially helpful when users are created or updated through SSO.
What a User Group controls
A User Group can control three main areas of access.
Role
The Role determines which features a user can access in CustomerGauge. For example, one Role may allow access to admin functionality, while another Role may only allow access to reporting or case management.
Role access is different from data access. A Role controls what the user can do. Division, Hierarchy, and Segment restrictions control which records the user can see.
Segment restrictions
Segment restrictions refine data access further by limiting users to records that match specific segment values.
For example, a User Group could be restricted to:
- Customer Type = Enterprise
- Product = Product A
- Region = EMEA
If segment restrictions are used together with Division or Hierarchy access, a record must match all applicable restrictions before the user can access it.
Division or Hierarchy access
Division or Hierarchy access determines which records a user can access based on their assigned division scope. If hierarchy is enabled, users may be able to access records from their assigned hierarchy level and the levels below it.
How User Groups work
A System Administrator creates a User Group in the Users section of CustomerGauge.
The administrator defines the group’s:
- Name
- Identifier
- Role
- Division or Hierarchy access
- Segment filters
Users can then be assigned to the User Group manually, or matched to the User Group through SSO if your organization sends group information from your Identity Provider. When the user logs in, CustomerGauge determines the user’s final access settings. If the user is matched to a User Group, the group’s settings are used for the user’s Role, Division or Hierarchy scope, and Segment restrictions.
User Groups with SSO
If your organization uses SSO, your Identity Provider can send attributes to CustomerGauge when a user logs in.
These attributes may include:
- A User Group identifier
- A Role
- A Division or Hierarchy value
- Segment values
When a User Group is provided through SSO, CustomerGauge attempts to match the value from the Identity Provider to the Identifier configured on a CustomerGauge User Group. If a match is found, CustomerGauge uses the User Group as the source for the user’s access settings. This means the User Group can define:
- The final Role
- The final Division or Hierarchy scope
- The final Segment restrictions
If no User Group is provided, CustomerGauge can fall back to individual SSO attributes, such as Role, Division, or Segment values, depending on what your SSO setup sends.
If neither a User Group nor a relevant attribute is provided, CustomerGauge uses the user’s existing setting or the default setting.
Role access with SSO and User Groups
How CustomerGauge determines the final Role when a user logs in with SSO.
When a user logs in with SSO:
- CustomerGauge receives the SSO attributes.
- If a User Group is provided, CustomerGauge matches the user to the corresponding CustomerGauge User Group.
- If a matching User Group is used, the Role comes from the User Group.
- If no User Group is provided, CustomerGauge checks whether a Role attribute was provided.
- If a Role attribute was provided, CustomerGauge uses that Role.
- If no Role attribute was provided, CustomerGauge uses the existing Role or default Role.
- CustomerGauge checks whether the final Role allows the user to access the feature.
- If the Role allows the feature, access is granted. If the Role does not allow the feature, access is denied.
For Division, Hierarchy, and Segment access flows, see the Data Access Restriction article.
How to create a User Group
Follow these steps to create a User Group.
Navigate to User Groups: Go to Users → User Groups in the CustomerGauge platform.
Add a new group: Click on the "Add Group" button to start the group creation process.
Configure Group Details:
Name: Provide a clear, descriptive name for the group. Use a name that administrators can easily recognize later.
Examples:
Europe Managers
Netherlands Users
Global Admins
Enterprise Account TeamIdentifier: Enter a unique identifier for the group. This is typically the ID used to identify the group in your Identity Provider (IdP). This field is mandatory, even if you do not use Single-Sign On (SSO).
Role: Select the appropriate role for users in this group, determining their feature access.
Division: Define the division that users in this group will belong to, controlling their division data access.
Segment access restrictions: Refine access further by adding segment filters to restrict data access based on specific criteria.
Save the User Group: Once you've configured all the details, save the group. It will then be available for assignment to Users, or for matching through SSO.
Important Note: Ensure that the users in your organization who will be assigned to this Group have the correct permissions and Group ID defined in your IdP, matching the identifier setup in CustomerGauge. This ensures proper synchronization and access control.
Assigning users to a User Group
Users can be assigned to a User Group manually in CustomerGauge, or matched automatically through SSO. Manual assignment is useful when administrators manage users directly in CustomerGauge.
SSO-based assignment is useful when your Identity Provider is the source of truth for user access. If using SSO, make sure the value sent by the Identity Provider exactly matches the Identifier configured on the CustomerGauge User Group.
Best practices
- Use clear and consistent User Group names.
- Create groups around real access patterns, such as geography, hierarchy level, business unit, or customer team.
- Avoid creating too many one-off groups. If only one user needs an exception, review whether that should be handled as an individual user setting instead.
- When using SSO, Make the Identifier match your Identity Provider identifier exactly.
- Test SSO group mapping with a small number of users before rolling it out broadly.
- Review User Groups regularly to make sure they still match your organization’s access model.
- Document which Identity Provider groups map to which CustomerGauge User Groups.
Troubleshooting
A user is assigned no User Group through SSO
Check the following:
- Is the correct Identifier field set up in the SSO setup, matching the correct field claim from the Identity Provider?
- Is the correct group value being sent by the Identity Provider?
- Does the value exactly match the Identifier in CustomerGauge?
- Is the user assigned to more than one group in the Identity Provider?
- Is the expected User Group active and configured correctly in CustomerGauge?
A user is assigned to the wrong User Group
Check the following:
- Is the correct group value being sent by the Identity Provider?
- Does the value exactly match the Identifier in CustomerGauge?
- Is the user assigned to more than one group in the Identity Provider?
- Is the expected User Group active and configured correctly in CustomerGauge?
A user has the wrong Role
Check the following:
- Is the Role configured correctly on the User Group?
- If no User Group is provided through SSO, is a Role attribute being sent?
- If no Role attribute is sent, what existing or default Role is being used?
- Does the final Role allow the feature the user is trying to access?
A user cannot see the expected records
Check the following:
- Is the Division or Hierarchy scope configured correctly on the User Group?
- Are Segment filters configured correctly?
- Does the record match all required restrictions?
- If SSO is used, is the expected User Group identifier being sent?
- If no User Group is provided, are the expected Division or Segment attributes being sent?
A user can see too much data
Check the following:
- Does the User Group have broader Division or Hierarchy access than intended?
- Are Segment filters missing?
- Is the user matched to a Global or admin-level group?
- Is the Identity Provider sending the expected group value?
- Does the user have an existing setting that gives broader access?
If the User Group or SSO mapping appears correct but access still does not behave as expected, contact CustomerGauge Support, your Account Services Manager.
Related articles
- Data Access Restriction
- Hierarchy
- Users and Login