User groups let you define permissions once — on collections, semantic layers, and data connections — then grant them instantly to anyone who joins that group.

A user group is a named set of users that share the same access rights across Astrato. Instead of setting permissions per person, you set them per group. Every user added to that group automatically inherits all of its permissions — no extra steps required.

Example: A new sales hire joins your organisation. Add them to the Sales group and they immediately have access to every sales workbook, semantic layer, and data connection the group is allowed to see. Remove them from the group and that access is revoked just as cleanly.

User groups are managed by Admins in Admin Settings.

You can edit membership at any time. Changes take effect immediately — users do not need to log out and back in.

Once your groups are set up, you apply permissions at three levels: Collections, Semantic Layers, and Data Connections. This is where group-based access control pays off — set it once, and every current and future group member benefits.

Collections are how workbooks and content are organised and shared. You can grant a group Viewer, Editor, or Admin access to a collection.

All workbooks inside that collection become accessible to the group at the permission level you set.

Learn more about Collection permissions →

Semantic layers define the business logic and metrics your users query against. Controlling who can use — or edit — a semantic layer is critical for data governance.

Learn more about Semantic layer permissions

Semantic Layers control access to the underlying data connections. This ensures groups can only query the data sources relevant to them.

Learn more about Data connection permissions

Astrato's semantic layer goes further than object-level permissions. You can use a user's group membership as a filter condition, so members of different groups see different rows of the same dataset — all through a single workbook.

This is configured inside the semantic layer using a group name filter:

When you choose a parameter to filter to, you can enter $userGroupNames the parameter name to load the current users' groups. Multiple groups may be returned if a user is part of multiple groups. Groups will be returned in a comma-separated list.

When a user opens a workbook powered by that semantic layer, Astrato automatically applies the filter based on which group they belong to. A user in the EMEA Sales group sees only EMEA rows; a user in APAC Sales sees only APAC rows — same workbook, scoped data.

When a user is added to a group, they immediately inherit all of that group's permissions:

There is nothing extra to configure. The group is the single source of truth for access.

Name groups after business functions, not individuals. Sales EMEA, Finance UK, Product Managers — names that survive team changes.

Use collections to organise workbooks by group. Create a Sales collection, grant the Sales group access, and every new workbook added to that collection is automatically available to the whole team.

Combine object permissions with row-level security for the tightest control. A group can have access to a semantic layer but still only see the rows of data that are relevant to them.

Avoid giving individual users direct permissions where a group exists. This makes auditing and offboarding significantly harder.