# Managing User Access to Records User access to records depends on both permissions and hierarchy context. Users need the right [Roles](/surecloud-docs/documentation/admin/managing-user-access-to-records/roles.md), the right [Groups](/surecloud-docs/documentation/admin/managing-user-access-to-records/groups.md), and access to the right [Hierarchy](/surecloud-docs/documentation/admin/managing-user-access-to-records/hierarchy.md) context. {% hint style="info" %} A user must have both the required permission and access to the record's hierarchy context. {% endhint %} ### How record access works Record access is controlled by three things: * **Roles** define what a user can do. * **Groups** assign those roles to users. * **Hierarchy context** limits which records the user can access. If one of these is missing, the user may not be able to view or update the record. ### Roles Roles define what actions a user can perform in SureCloud. Roles can include: * **System permissions** for platform features * **Entity permissions** for Create, Read, Update, and Delete access on specific record types Use roles to control the level of access a user needs for their job. ### Groups Groups are collections of users. Roles are assigned to groups, and users inherit the roles from the groups they belong to. This makes access easier to manage at scale. In some setups, a new hierarchy item also creates a group with the same name. Managing membership of these groups helps control access to records linked to specific hierarchy nodes. For more information, see [Groups](/surecloud-docs/documentation/admin/managing-user-access-to-records/groups.md). ### Hierarchy context Records can be assigned to a hierarchy context. This limits access to users who belong to the relevant hierarchy node or nodes. Even if a user has the correct role, they may still be unable to access a record if they do not have the right hierarchy access. For more information, see [Hierarchy](/surecloud-docs/documentation/admin/managing-user-access-to-records/hierarchy.md). ### Review or change a user's access If a user cannot access a record, check these areas in order: {% stepper %} {% step %} ### Check the user's groups Confirm the user is a member of the correct group or groups. {% endstep %} {% step %} ### Check the group's roles Review the roles assigned to those groups. Make sure the roles include the required entity permissions. {% endstep %} {% step %} ### Check the record context Confirm the record is assigned to the expected hierarchy context. {% endstep %} {% step %} ### Update access if needed Update the user's group membership or the roles assigned to those groups. Avoid granting access case by case where a role or group update would solve it. {% endstep %} {% endstepper %} For more information, see [Roles](/surecloud-docs/documentation/admin/managing-user-access-to-records/roles.md) and [Users](/surecloud-docs/documentation/admin/managing-user-access-to-records/users.md). ### Best practices * Follow the principle of least privilege. * Use groups to manage access instead of handling users one by one. * Review roles, groups, and hierarchy settings regularly. * Check both permissions and hierarchy when troubleshooting access. If you still need help, contact your SureCloud administrator. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://surecloud.gitbook.io/surecloud-docs/documentation/admin/managing-user-access-to-records.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.