# Manage Permissions
Crystal Projects often carry highly sensitive and confidential data that needs to be handled with care.
For this reason, Crystal Console offers a **Permissions Management System** that enables you, as an Admin User, to manage and customize Member Users' Permissions in order to **control which data they can see and ask for on the Crystal Advisor**.
Impacts of Permissions on the Advisor's Capabilities
Permission settings affect all the Advisor's capabilities where there is a Topic (with Filters) to visualize.
Whenever permissions are not granted, the User’s experience will be limited.
Viewing permissions are crucial for the Member Users to be able to fully experience the following capabilities:
* [Request Topics](/crystal-advisor/talk-to-your-data/conversation/request-topics.md) in Conversations (including Filtering Topics in Conversation)
* [Autocomplete](/crystal-advisor/talk-to-your-data/conversation/request-topics/autocomplete.md)
* [Topics Overview](/crystal-advisor/explore-your-data/dashboard.md)
* [Suggestions](/crystal-advisor/explore-your-data/suggestions.md)
* [Share Topic](/crystal-advisor/report-and-discuss-your-data/share-topic.md)
* [Share Data Story](/crystal-advisor/report-and-discuss-your-data/data-storytelling.md)
* [Alerts](/crystal-advisor/analyze-your-data/alerts.md)
The current version of the capability has been developed to help Admins ensure the highest level of privacy and security of your Crystal Project with an **easier, faster, and more granular system**.
Let's see how to tailor permissions to your needs!
{% hint style="warning" %} **Remember**
Permissions can also be set during the **Topic Configuration** process, in the ["**Set Permissions"**](/crystal-console/topics-configuration/permissions.md) phase.
{% endhint %}
## Underlying Rules
The Permission Management System is designed to support a range of **automatic rules** that **quick-start** the permissions' settings and act as a **baseline framework** for you to start from.
Therefore, before diving into action, it is important for you to keep in mind the main principles for the Permission Management System.
### Permission Levels
Permissions apply to **Topics** and **Filters**.
{% hint style="info" %} **Please Note**
You need to set permissions on your Crystal Project independently of the permissions set in the Data Sources underlying Topics.
In other words, Crystal doesn't inherit the permissions set at the Database level.
{% endhint %}
### **Permission Targets**
Permissions target **Users** and / or **Groups** of Users (added either *manually* or through an *Identity Provider*).
### **Default Permissions**
Some permissions are set by default:
* **By default, Users have no permissions (*****"Revoke All"*****)**
As soon as you [invite new Users](/crystal-console/users/invite-users-to-crystal.md) to a Crystal Project, they have no permissions for Topics and Filters.
{% hint style="warning" %} **Remember**
If you don't grant permission to a User soon after inviting them to your Crystal Project, they won't be able to see and ask for a Topics when accessing the Advisor for the first time!
{% endhint %}
* **By default, Groups have permissions to everything (*****"Allow All"*****)**
As soon as you [create a Group](/crystal-console/users/user-groups.md), it automatically assigns it permissions for all available Topics and Filters.
### **Inherited Permissions**
Some permissions are inherited automatically:
* **Users inherit permissions from Groups**
As soon as you [assign Users to a Group](/crystal-console/users/user-groups.md), they can visualize all the Topics and Filters enabled for that Group.
* **Filters inherit permissions from Topics**
As soon as you grant a User permissions to a Topic, they can also visualize all the Filters for that Topic.
{% hint style="warning" %} **Remember**
You can leverage the Inheritance Rules in your favor to quickly enable Users to visualize Topics and Filters.
Based on the first rule, *Creating Groups strategically* with a *careful selection of its members* could be a good way to manage Users' permissions in a few clicks.
Moreover, *adding a new User to a Group right after an invitation* is the quickest way to enable them to talk to Crystal!
You can find out more about creating and managing a Group [**here**](/crystal-console/users/user-groups.md).
{% endhint %}
## **Manage Permissions Selectively**
Along with the [Default Permissions ](#default-permissions)and [Inherited Permissions](#permissions-inheritance), the Permission Management capability grants you, as an Admin User, the **full power to operate granular customizations** to the permission settings and therefore bypass - or surpass - the baseline settings that automatically come from the main rules.
Go to the *"Users"* Tab of the Crystal Console and find the *"Manage permissions"* Section:
"Users" Tab
From there, you can manually **allow or revoke** permissions, choosing to operate **selectively**:
* On the desired **target** (Users and / or Groups) *- see the dedicated area on the Left*
* At the desired **level** (Topics and / or Filters) *- see the dedicated area on the Right.*
"Manage Permissions" Section
#### Remarks on Targets
You can choose to operate by selecting *different kinds of targets*:
* just one User (**"Single User"**)
* just one Group of Users (**"Single Group"**)
* more than one User at a time (**"Multiple Users"**)
* more than one Group at a time (**"Multiple Group"**)
* Users and Groups, both at the same time (**"Mixed Targets"**)
#### Remarks on Topics
Permission Management is available only for Topics that are in the *status "Ready" for at least one Language.*
If a Topic is *"Ready"* in any language, permissions can be assigned to it and will affect all the languages available for that Topic.
#### General Remarks
All the actions that you make on the permission settings always have *immediate effect*.
Now you are ready to deep-dive into the possible scenarios:
1. [Allow or Revoke Permissions to a Single User](#allow-or-revoke-permissions-to-a-single-user)
2. [Allow or Revoke Permissions to a Single Group](#allow-or-revoke-permissions-to-a-single-group)
3. [Allow or Revoke Permissions to Multiple or Mixed Targets](#allow-or-revoke-permissions-to-multiple-or-mixed-targets)
### Allow or Revoke Permissions to a Single User
**Select your target**
1. from the *"Users"* Tab, navigate to the "*Manage Permissions"* Section
2. in the dedicated *"Target"* area on the Left, select the option "*People" -* here are listed all the active Users along with the following details:
* name and surname
* email
* number of Groups affiliations
3. select a unique User **-** there are several ways to achieve this goal:
* scroll normally
* order (A-Z, Z-A, selected first, unselected first)
* use Search Bar
**Check permissions**
Once you select the target, the *"Permissions"* area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.
{% hint style="info" %} **Please Note**
In this case, you may see that the User has:
* some, or most, Topics/Filters set to *"Revoke"* - as this is the default setting for Users
* some Topics/Filters set to *"Allow"* - as this reflects permissions manually given in time
{% endhint %}
{% hint style="danger" %} **Attention**
Topics inherited from a Group are not visible as *"Allowed"* from here, but can be seen in the Group section only.
Therefore, it is possible that some of the Topics / Filters set as *"Revoked"* are actually allowed as inherited from a Group.
{% endhint %}
**Manage permissions**
Manage the User's permissions by allowing and / or revoking Topics and / or Filters permissions in the respective Tabs (*"Topics"* and *"Filters"*).
{% hint style="warning" %} **Remember**
For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.
However, you can manage Filters' permissions separately in the correspondent Tab.
{% endhint %}
1. to search for a Topic / Filter, the following methods are possible:
* order (A-Z, Z-A, Allowed first, Revoked first) - for Topics
* order (A-Z, Z-A) - for Filters
* use Search Bar
* bulk or single select
2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "S*ave"*
{% hint style="danger" %} **Attention**
In the *"Topics"* Tab, two different columns are present: one for the *"Allow"* action and one for the *"Revoke"* action.
In the *"Filters"* Tab, instead, just the *"Allow"* column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.
{% endhint %}
{% hint style="info" %} **Please Note**
For Filters and Values, keep in mind that:
* when selecting a Filter, it automatically *selects all the Values* inside it
* when opening a Filter, it’s possible to find the complete *list of Values* inside and it is possible to *choose them one by one*
* however, the opposite is not possible: you can't *remove just one Filter* when all of them have been enabled together
{% endhint %}
***See full video!***
{% embed url="" %}
Manage permissions for Single Users
{% endembed %}
### Allow or Revoke Permissions to a Single Group
**Select your target**
1. from the *"Users"* Tab, navigate to the "*Manage Permissions"* Section
2. in the dedicated *"Target"* area on the Left, select the option "*Group" -* here are listed all the existing Groups along with the following details:
* Group name
* number of included Users
* list of included Users
3. select a unique Group **-** there are several ways to achieve this goal:
* scroll normally
* order (A-Z, Z-A, Selected first, Unselected first)
* use Search Bar
**Check permissions**
Once you select the target, the *"Permissions"* area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.
{% hint style="info" %} **Please Note**
In this case, you will see that the Group has:
* some Topics/Filters set to *"Allow"* - as this is the default setting for Groups
* some Topics/Filters set to *"Revoke"* - as this reflects permissions manually given in time
{% endhint %}
**Manage permissions**
Manage the Group's permissions by allowing and / or revoking Topics and Filters permissions in the respective Tabs (*"Topics"* and *"Filters"*).
{% hint style="warning" %} **Remember**
For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.
However, you can manage Filters' permissions separately in the correspondent Tab.
{% endhint %}
1. to search for a Topic / Filter, the following methods are possible:
* order (A-Z, Z-A, Allowed first, Revoked first) - for Topics
* order (A-Z, Z-A) - for Filters
* use Search Bar
* bulk or single select
2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "S*ave"*
{% hint style="danger" %} **Attention**
In the *"Topics"* Tab, two different columns are present: one for the *"Allow"* action and one for the *"Revoke"* action.
In the *"Filters"* Tab, instead, just the *"Allow"* column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.
{% endhint %}
{% hint style="info" %} **Please Note**
For Filters and Values, keep in mind that:
* when selecting a Filter, it automatically *selects all the Values* inside it
* when opening a Filter, it’s possible to find the complete *list of Values* inside and it is possible to *choose them one by one*
* however, the opposite is not possible: you can't *remove just one Filter* when all of them have been enabled together
{% endhint %}
{% hint style="warning" %} **Remember**
All the changes saved for a Group will be reflected on *all Users* inside the Group.
{% endhint %}
***See full video!***
{% embed url="" %}
Manage permissions for Single Groups
{% endembed %}
### Allow or Revoke Permissions to Multiple or Mixed Targets
In these scenarios, you will be able to make changes to multiple sets of permissions in one go!
**Select your target**
1. from the *"Users"* Tab, navigate to the "*Manage Permissions"* Section
2. in the *"Target"* section on the Left, select one of these options:
* **"Multiple Users"**: more than one User from Tab *"People"*
* **"Multiple Groups"**: more than one Group from Tab *"Groups"*
* **"Mixed Targets"**: both Users and Groups from both Tabs (e.g. one User and one Group, two Users and one Group, etc.)
{% hint style="danger" %} **Attention**
In all these three cases, it’s *not possible to check* the permissions given to Topics / Filters for all the selected targets, as are permissions different for each sub-target selected.
By the way, it is known already that:
* Users have *"Revoke All"* default settings
* Groups have *"Allow All"* default settings
{% endhint %}
**Choose a modality**
Once you select the target, the *"Permissions"* area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.
In these cases, it is also possible to **choose between two modalities** to operate with:
* **"Append Permissions"**
This option entails that the chosen changes - i.e. the allowed or revoked Topics/Filters - will be just *added* to the permissions already in place, *without modifying* them.
This means that other Topics/Filters - i.e. the ones not selected - will *maintain the current permissions*.
* **"Unlink Target's Permissions"**
This option entails that the applied changes will be causing an *overwrite* on the permissions already in place, *modifying* them.
The overwriting will happen on the other Topics/Filters - i.e. the ones not selected - which will change by being *all revoked*.
In summary...
This is what will happen when saving a change to permissions using the two different modalities.
**"Append Permissions":**
* Topic/Filters checked as *"Allow"* will be allowed
* Topic/Filters checked as *"Revoke"* will be revoked
* not selected Topics/Filters *will remain unchanged*
**"Unlink Target's Permissions":**
* Topic/Filters checked as *"Allow"* will be allowed
* Topic/Filters checked as *"Revoke"* will be revoked
* not selected Topics/Filters *will be revoked*
{% hint style="warning" %} **Remember**
The first modality is the safest one to use!
{% endhint %}
**Manage permissions**
Regardless of the modality chosen, you can allow and / or revoke Topics and Filters permissions in the respective Tabs (*"Topics"* and *"Filters"*).
{% hint style="warning" %} **Remember**
For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.
However, you can manage Filters' permissions separately in the correspondent Tab.
{% endhint %}
1. to search for a Topic / Filter, the following methods are possible:
* order (A-Z, Z-A, Allowed first, Revoked first) - for Topics
* order (A-Z, Z-A) - for Filters
* use Search Bar
* bulk or single select
2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "S*ave"*
{% hint style="danger" %} **Attention**
In the *"Topics"* Tab, two different columns are present: one for the *"Allow"* action and one for the *"Revoke"* action.
In the *"Filters"* Tab, instead, just the *"Allow"* column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.
{% endhint %}
{% hint style="info" %} **Please Note**
For Filters and Values, keep in mind that:
* when selecting a Filter, it automatically *selects all the Values* inside it
* when opening a Filter, it’s possible to find the complete *list of Values* inside and it is possible to *choose them one by one*
* however, the opposite is not possible: you can't *remove just one Filter* when all of them have been enabled together
{% endhint %}
{% hint style="warning" %} **Remember**
Changes will be applied to *all the selected Targets*.
{% endhint %}
***See full video!***
{% embed url="" %}
Manage permissions for Multiple or Mixed Targets
{% endembed %}
### Limitations Recap
Here is a recap of the main limitations seen in the ***"Allow or Revoke Permissions"*** scenarios.
Limit on Filters Allowed per User
While all the existent Filters are present in the list, a *maximum of 1000* *Filters* can be allowed per User.
Different logics for "Allow" and "Revoke" actions in Topics and Filters Tab
In the *"Topics"* Tab, two different columns are present: one for the *"Allow"* action and one for the *"Revoke"* action.
In the *"Filters"* Tab, instead, just the *"Allow"* column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.
Missing visibility of permissions for inherited Topics / Filters
In the dedicated *"Permissions"* area on the Right, the list of Topics' and Filters' permissions that is visualized mainly reflects the *default* and *manual* permissions, whereas *inherited permissions* *are not reflected there* (e.g. Topics inherited from Groups, Filters inherited from Topics).
***The best way to know about the inherited Topics and Filters is to check the specific Groups' sections.***
Missing visibility of permissions in Multiple or Mixed Targets selection
In the dedicated *"Permissions"* area on the Right, when **"Multiple or Mixed Targets"** are selected (Multiple Users, Multiple Groups, Mixed Targets), *it* *is not possible to visualise the current permission settings for the specific sub-targets selected*.
***To visualise the permissions of each sub-target, you need to come back to the single User visualizations or to visualize the Groups section.***
Missing "Revoke" option for Filters in Multiple or Mixed Targets selection
As of now, when **"Multiple or Mixed Targets"** are selected (Multiple Users, Multiple Groups, Mixed Targets), it is *not possible to revoke Filters permissions, but only allow them*.
***To revoke them, you need to manage targets one by one.***
## **Edge Cases**
Please consider the following edge cases that require a careful permissions management.
### Users That Outgrow Group's Permissions Settings
With time, you will need to accomodate for specific permissions needs that arise case by case.
Therefore, based on the choices that you make, there will be different types of permission scenarios for Member Users:
* Users that *only have* G*roup-inherited permissions*
* if you have assigned them to Groups but never customised permissions further
* Users that *only have* *manually granted permissions*
* if you have not assigned them to any Group but have exclusively customised permissions manually
* Users that *have a* *mix of Group-inherited and manually granted permissions*
* if you have done both actions
In these cases, it is highly probable that some Users end up with *less permissions or more permissions compared to the ones granted to the Groups they are in*, if you have respectively revoked or allowed many permissions to them after adding them to Groups.
***Don't worry: this is actually the most probable scenario, as well as the one where you have actually created totally custom and tailored permissions settings!***
### Permissions on New Topics
When a new Topic is added to the Console, its permission settings are the ones previously decided during the **Configure Topic** process, during the ["**Set Permissions"**](/crystal-console/topics-configuration/permissions.md) phase, on a Group level.
Two scenarios are possible:
* you have *already granted* permissions to some Groups
* you have decided to *skip permission setting* for later: in this case, no Group has permissions to that Topic
At a Users' level, this implies that only the Users who were already in the enabled Groups inherit the Topic immediately, whereas all other Users need to be enabled manually later, either individually or by enabling their Groups as well.
***When a new Topic is created, remember to double check which Groups or Users need to be enabled to it!***
### **Permissions on New Filters**
When a new Filter is added in Console, it is automatically *allowed on all Groups*: therefore, to all Users in those Groups (because Groups have all permissions by default).
***When a new Filter is created, you should double check if the correct Groups/Users have been enabled and manually revoke the permission of some Groups/Users, if needed!***
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.igenius.ai/crystal-console/users/manage-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.