Groups

Groups organize workspace members into logical teams. A group can grant additional permissions to its members and control what data they can see. Instead of managing access policies and permission grants for each member individually, you create groups and add members to them — every member automatically inherits the group’s permissions and access policy assignments.

What Groups Do

Groups serve two purposes in Zeotap:

Grant additional permissions — You can assign a role to a group and/or grant specific permissions directly. Every member of the group inherits those permissions in addition to their own role’s permissions. This lets you extend permissions for specific teams without changing individual roles.
Control data visibility — Groups are the assignment target for access policies. When an access policy is assigned to a group, every member of that group has their queries automatically filtered.

Permission grants from groups are additive — they can only give members more permissions, never fewer. A member’s effective permissions are the union of:

Permissions from their assigned role
Permissions from all group roles they inherit
All direct permissions from their groups

Creating a Group

Via the UI

Navigate to Govern > RBAC > Groups
Click Create Group
Fill in the group details:

Field	Description	Example
Name	Descriptive name for the group	”EMEA Marketing Team”
Description	Explanation of the group’s purpose	”Members of the marketing team in EMEA region”
Role (optional)	Assign a role to the group. Members inherit this role’s permissions.	”Sync Operator”
Direct Permissions (optional)	Grant specific permissions independent of any role.	`syncs.read`, `syncs.trigger`

Click Create

Via the API


curl -X POST https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "EMEA Marketing Team",
    "description": "Members of the marketing team in EMEA region",
    "role_id": "role-uuid-here"
  }'

The role_id field is optional. Omit it to create a group without a role assignment.

Response:


{
  "id": "grp_abc123",
  "name": "EMEA Marketing Team",
  "description": "Members of the marketing team in EMEA region",
  "role_id": "role-uuid-here",
  "member_count": 0,
  "subset_count": 0,
  "created_at": "2025-01-15T10:00:00Z"
}

Granting Permissions via Groups

Groups can grant permissions to their members in two ways:

Assigning a Role to a Group

You can assign any built-in or custom role to a group. All members of the group inherit the permissions of that role, in addition to their own role’s permissions.

Via the UI

Navigate to the group detail page
In the Group role dropdown, select a role
Click Save changes

Via the API


curl -X PUT https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id} \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Data Team",
    "description": "Data engineering team",
    "role_id": "role-uuid-here"
  }'

Set role_id to null to remove the group’s role assignment.

Granting Direct Permissions

For finer-grained control, you can grant specific permissions directly to a group without assigning a full role. This is useful when a team needs a specific set of permissions that does not match any existing role.

Via the UI

Navigate to the group detail page
In the Direct permissions section, click Edit
Check the permissions you want to grant, organized by category
Click Save

Via the API


# View current direct permissions
curl https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id}/permissions \
  -H "Authorization: Bearer $API_TOKEN"
 
# Set direct permissions
curl -X PUT https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id}/permissions \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "permissions": ["syncs.read", "syncs.trigger", "destinations.read"]
  }'

Combining Role and Direct Permissions

A group can have both a role assignment and direct permissions. The effective permissions granted by the group are the union of:

All permissions from the assigned role
All direct permissions

This allows you to start with a role as a base and add specific extra permissions as needed.

Managing Group Members

Adding Members

Via the UI

Navigate to Govern > RBAC > Groups
Click on the group
In the Members tab, click Add Members
Select workspace members from the list (search by name or email)
Click Add

Via the API


curl -X POST https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id}/members \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "member_ids": ["mem_abc123", "mem_def456"]
  }'

Removing Members

Via the UI

Navigate to the group detail page
In the Members tab, find the member
Click Remove next to their name
Confirm the removal

Via the API


curl -X DELETE https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id}/members/{member_id} \
  -H "Authorization: Bearer $API_TOKEN"

Member Limitations

A member can belong to multiple groups. Their effective permissions and data access are the combination of all groups they belong to.
Adding or removing a member from a group takes effect immediately. Their next request will reflect the updated permissions and access policies.
Only Owners and Admins (users with governance.manage permission) can modify group membership.

Assigning Access Policies to Groups

Access Policies provide the row-level filtering that groups enforce. See Access Policies for how to create access policies.

Via the UI

Navigate to the group detail page
In the Access Policies tab, click Add Access Policy
Select one or more access policies from the list (grouped by category)
Click Save

Via the API


curl -X PUT https://composable.zeotap.com/api/v1/workspaces/{workspace_id}/groups/{group_id} \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "subset_ids": ["sub_abc123", "sub_def456"]
  }'

How Multiple Access Policies Interact

When a group has multiple access policies:

Access policies in the same category are combined with OR (the member sees data matching any of them)
Access policies in different categories are combined with AND (the member sees data matching all categories)

See Access Policies for detailed examples.

Viewing Group Details

The group detail page shows:

Section	Information
Overview	Group name, description, role assignment, creation date
Members	List of members with their name, email, role, and date added
Direct Permissions	Permissions granted directly to this group, organized by category
Access Policies	List of assigned access policies with their category, filter condition, and status
Activity	Recent actions by group members (queries, sync triggers, resource changes)

Editing a Group

To update a group’s name, description, role, or direct permissions:

Navigate to the group detail page
Click Edit in the header
Modify the fields as needed
Click Save

Changing a group’s name or description does not affect its members, role assignment, or access policy assignments.

Deleting a Group

To delete a group:

Navigate to the group detail page
Click Delete
Confirm the deletion

Deleting a group:

Removes all members from the group (their workspace access is not affected)
Removes all access policy assignments from the group
Removes all direct permission grants associated with the group
Members who were in the group will no longer inherit the group’s role or direct permissions

This action cannot be undone.

Common Group Patterns

Pattern	Groups	Configuration
Regional teams	”North America Team”, “EMEA Team”, “APAC Team”	Access policy per region: `region = 'NA'`, `region = 'EMEA'`, `region = 'APAC'`
Department isolation	”Marketing”, “Sales”, “Support”	Access policy per department: `department = 'marketing'`, `department = 'sales'`
Partner access	”Partner A Team”, “Partner B Team”	Access policy per partner: `partner_id = 'A'`, `partner_id = 'B'`
Environment separation	”Production Users”, “Staging Users”	Access policy per environment: `environment = 'production'`, `environment = 'staging'`
Cross-functional	”Product Launch Team”	Multiple access policies from different categories, combining product line and region filters
Operator team	”Sync Operators”	Role: custom “Sync Operator” role, or direct permissions: `syncs.read`, `syncs.trigger`, `destinations.read`
Read-only auditors	”External Auditors”	Direct permissions: `sources.read`, `models.read`, `destinations.read`, `syncs.read` — no role assignment needed

API Reference


# List all groups
GET /api/v1/workspaces/{id}/groups
 
# Get a single group
GET /api/v1/workspaces/{id}/groups/{groupId}
 
# Create a group
POST /api/v1/workspaces/{id}/groups
 
# Update a group
PUT /api/v1/workspaces/{id}/groups/{groupId}
 
# Delete a group
DELETE /api/v1/workspaces/{id}/groups/{groupId}
 
# Add members to a group
POST /api/v1/workspaces/{id}/groups/{groupId}/members
 
# Remove a member from a group
DELETE /api/v1/workspaces/{id}/groups/{groupId}/members/{member_id}
 
# List group members
GET /api/v1/workspaces/{id}/groups/{groupId}/members
 
# Group Permissions
GET /api/v1/workspaces/{id}/groups/{groupId}/permissions
PUT /api/v1/workspaces/{id}/groups/{groupId}/permissions

Best Practices

Name groups by team and function — Use descriptive names like “EMEA Marketing” or “Partner Support - Acme” so membership is self-explanatory.
Keep groups focused — Each group should represent a single team or access pattern. If members need different permissions or data access for different use cases, use separate groups.
Use role assignment for broad capabilities — Assign a role to a group when an entire team needs the same capability set (e.g., all members of the data team can manage syncs).
Use direct permissions for surgical grants — Grant direct permissions when a team needs a small number of extra permissions that do not warrant a full role.
A member can belong to multiple groups — Use this to build composite access. For example, a member in both “EMEA Team” and “Marketing Team” sees EMEA marketing data and inherits permissions from both groups.
Review membership regularly — As team composition changes, update group membership to ensure data access and permissions stay current.
Prefer groups over direct management — Even for a single member who needs a unique access policy or permission, create a group. It makes the access model consistent and easier to audit.

Next Steps

Create access policies to assign to your groups
Manage workspace members
Review the permission model to understand role-based access
Create custom roles to assign to groups