When working with Groups and Subgroups it is important to bear in mind that all Users who belong to a parent group will automatically be assigned to the Subgroups of that parent Group.
This is due to the permission hierarchy. The parent Group is the highest permission level, in other words, if you belong to the Parent Group you are already granted access to the highest permission level, therefore you also have access to the subgroups that belong to the parent group. That is why the system automatically assigns Subgroups to the users who belong to the Parent Group.
In other words, Users can belong to a Subgroup and not belong to the Parent Group but not the other way around.
Assigning Users only to Subgroups
Subgroups make sense when you want to give Users access to items assigned to the Subgroup but not to the other Subgroups or to the Parent Group itself.
For example, this could be the case when using Subgroups to limit access to content that should only be shown to Users belonging to a specific department, i.e. if you are trying to replicate your organization chart with the Group functionality. An idea to do this with Subgroups could be to do the following:
- Create a General Group for items that everybody can access.
- Create a new group you call Global and under this Parent Group, you create all the departments as Subgroups.
Users will then have access to the General Group as well as to their specific Department(s)/Subgroup(s).
Administrators can have access to the two main Parent Groups: General and Global, which means that they will also have access to all Subgroups. That way, when any Subgroup is added to the Group structure it will automatically be assigned to Administrators as well.