Building Blocks
Groups
Decide what someone can do in Gfacility — combined with main filters that decide what someone can see. Two separate axes, one coherent authorisation model.
Updated Jan 23, 2026
Configuration · Building Blocks · 3.4
Authorisation in Gfacility runs along two separate axes: Groups decide what someone can do, main filters decide what someone can see. This article covers the doing side. A user can belong to multiple groups and automatically gets the combined rights.
Why this matters to the business
"Not everyone should be able to close tickets"
Privileges per action (view / create / edit / delete) per module.
"External parties only see their own tickets"
Rights on "own records" vs "other records" — a dimension within every group.
"Configuration rights separate from operation"
Editing settings requires different rights from daily work — configurable separately.
"Future vs past"
A past booking may be visible to everyone; future planning maybe only to the management team.
The privileges model
Privileges are made up of three dimensions. For operational rights all three are available; for configuration rights only the first.
| Dimension | Values | What it controls |
|---|---|---|
| Action | View · Create · Edit · Delete | CRUD per module |
| Ownership | Own · Other records | Own records only or also other people's |
| Time range | Future · Past | For bookings, tasks — not always applicable |
Operation versus Configuration
Privileges split across two tabs:
Operation
Day-to-day use: tickets, bookings, tasks, visitors, catering. All three dimensions.
Configuration
Settings: classifications, workflows, templates, groups themselves. Action dimension only (no own/other or future/past).
Important: view says nothing about what
The “View” privilege grants access to a module. Which records within that module you actually see is decided by main filters — a separate security layer. A user may be allowed to view helpdesk tickets, for example, but through a main filter only see those from their own organisation.
Which decisions will you make?
Which roles do you distinguish?
End user, handler, manager, admin. A smaller set is easier to manage.
Own or all records?
End users typically "own". Handlers "other" within their workgroup scope.
Who can edit configuration?
Limit to 2–5 people. Too many admins = uncontrolled changes.
How do you combine groups?
A user gets the union of all group rights. Stacking instead of copying = clearer overview.