---
title: "Asset Group Access Control"
slug: "asset-group-access-control"
updated: 2024-04-22T00:27:18Z
published: 2024-04-22T00:27:18Z
canonical: "help.nucleussec.com/asset-group-access-control"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing access to Asset Groups (AGAC)

This article provides an explanation for how to restrict access users and teams to only a subset of asset and finding information in a project. Asset Group Access Control allows administrators to assign users in their organization access to specific asset groups and their associated vulnerability and compliance finding data.

## What is Asset Group Access Control (AGAC)?

Asset Group Access Control (AGAC) is an access control layer at the project level for limiting what assets (and by extension findings) that users and teams can see within a Nucleus project. AGAC is an important component of ownership, and enables asset owners and remediators to gain access to information that is only relevant to them and their job context from within Nucleus.

AGAC can also be automated at scale by being used alongside SSO team mappings. When you auto-provision users to teams with SSO team mappings, when that user's job roles change within your identity provider their team and access to asset groups in Nucleus will automatically be updated on next login.

User and team based AGAC can also be used together. When a user has asset groups specified at both the user and team levels, they will have access to the union of these asset groups. For example, if an organization administrator assigns user Jack to asset group 1, and Jack is part of a team that has access to asset group 2, then Jack will have access to both asset groups 1 and 2.

Required permissionsYou must be an organization administrator to configure AGAC.

## Managing AGAC

### Steps to setup AGAC for individual users

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Global Administration**, select **Users**.
3. Find the user you want to assign, and click the expansion selector on the left side of the table to expand their row.

![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/user%20select%20table(2).png)

1. Locate the project in which you want to restrict the user’s asset group access in the **Project** column.

![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Screenshot%202023-09-27%20at%2010.19.50%20AM(1).png)

1. In the **Access** column, select **edit**.

![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Screenshot%202023-09-27%20at%2010.19.50%20AM.png)

1. From the menu, select which asset groups the user should have access to in that project.

![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Screenshot%202023-09-27%20at%2010.24.59%20AM.png)

1. Click **Save**.

Recommended User Access RoleFor the most secure experience, ensure the user is assigned the [Asset Group Restricted User role](https://help.nucleussec.com/docs/roles-permissions#pre-built-roles-in-nucleus)

### Steps to setup AGAC for teams

EnablementPlease contact support to have AGAC for teams enabled for your Nucleus organization.

1. Log in to your Nucleus project
2. From the navigation bar on the left, under **Project Administration,**select **Team Management**
3. Add a new team, or edit an existing team
4. In the Asset group access control list section, designate the asset groups that the team should have access to
5. Perform other team actions, like adding/editing the team name, SSO mapping etc.
  1. Once users have been selected from the list, ensure that users are added to the team by selecting **Add users**
6. Click **save** ![](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/Screenshot%202023-09-26%20at%2012.47.47%20PM.png)

## Additional resources

Learn more about how Asset Group Access Control works with [automatic asset grouping](https://help.nucleussec.com/docs/asset-groups#about-automatic-asset-grouping) to provide the most secure and manageable admin experience.