When you go directly to a group page under Platform Settings -> Groups, what determines what you see under Members?
You might see one of these:
People who are members of this group <list of visible members> or No visible users are members of this group. - I assume this means you do have the permission to view group membership (although you might lack permission to view individual users who are in this group).
You do not have permission to view the members of this group - I assume this means you don’t have permission to view group membership.
The question is what determines which of the 2 you see, e.g. what is the default permission (for your Org and for other Orgs) and what could explicitly grant you that permission if you don’t have it by default?
For example, under Platform Settings -> Organizations -> Organization Permissions, you can explicitly grant a user/group the permission View group membership. In Control Panel -> Organization Settings -> Organization Permissions, you can grant the role Organization settings viewer.
I have examples where users of Org A can view group membership without having any of these permissions explicitly, neither for their own Orgs nor Orgs that they’re guest members of.
And examples of users of Org B cannot view group membership of any group, including ones they’re member of.
Is there any other permission that determines ability to view group membership?
Currently we’re in a transitional period where both Platform Settings -> Organizations -> Organization Permissions and Control Panel -> Organization Settings -> Organization Permissions work. The Control Panel setting is recommended moving forward.
The only other ways to view group membership that I’m aware of are (1) the Organization Permissions -> Manage membership organization permission also grants view group membership; (2) the group is an internal group (created in-platform) and the user explicitly has “Manage permissions” or “Manage membership” on that group; (3) the user is a platform admin/granted the permissions through config overrides.
If you’re seeing different behavior, that should probably be an issue or support ticket.
Thanks for the response!
So am I understanding correctly that the default is that a regular user would not be able to view group membership, and it needs to be specifically granted via one of the avenues you mentioned?
(we’ll double-check the setup and if we still can’t figure it out, we’ll open a ticket)
EDIT: @kchen Mystery solved: we have a legacy override in the config that grants this permission
Could you elaborate exactly what view group membership means? Specifically, if there are no groups associated to the view group membership in the control panel, does that mean:
Users are not allowed to see groups with the Organization’s OrgMarking but can see the groups that have no OrgMarkings (see below an example of a group that can be seen by everyone)
@kchen Could you also please explain the concept of a „legacy override in the config“ , what can be achieved with and how we can transparency about those overrides?
Hi @HugoRodrigues , “View group membership” governs whether a user can see members of the group or not. This is different from whether a user can see a group or not (ie the existence of the group).
To see that a group has a given member, you need to both be able to have View access on the group, View access on the user, and View group membership.
EDIT: to answer your question: It would be (1), but the users would not be able to see members of those groups.
Hi @nicornk , the legacy override I was referring to is something that was configured in the backend before this setting was available in the frontend, ie. Control Panel. On our stack, the override will be removed and configured in Control Panel instead (as this was the desired behaviour).
It would only be on your stack if (1) it was explicitly set in agreement between Palantir and Platform Admins, and (2) the stack is older than this configuration option existing in the frontend.