ABAC: Creating and Managing Sites Using Access Control Groups

Overview

This article explains how to create and manage intranet sites using Access Control Groups (ACGs). ACGs define which users can create or manage sites based on designated audiences (e.g., departments, business units). This configuration helps ensure the right users have access to the right sites without exposing sensitive content to unintended audiences.

Key concepts

• Access Control Groups (ACGs): Permission groups used to manage access to intranet features based on audiences.

• Audiences: Segments of users (e.g., Manufacturing, Retail, London) defined by your organization's structure and people data.

• Manage site ACG: Grants users the ability to create and manage sites for a specific audience.

• Add site ACG: Grants users permission to create sites for a specific audience.

• Target audience: Number of users within an audience included as part of the ACG. The target audience defines the maximum set of users who can:

  • Discover a site

  • Request to join a private site

  • Follow or become a member of a public site

How does it work?

When a new site is created, the max audience is determined based on the Access Control Group(s) the creator belongs to. Site management permissions are determined by the target audience of the site and the target audience of the ACG.

​​If a user is not part of the max audience, they cannot see the site at all, it’s invisible to them. This rule applies to the creator of the site as well.

System-generated ACGs

When sites are enabled in your intranet, two system-generated ACGs are created by default:

1. Manage sites ACG: This allows a user to manage sites for any ACGs they're a part of

2. Add sites ACG: Allows a user to create new sites for specified audiences as determined by the app manager

These are assigned to the app manager by default. The app manager can manage site access or delegate permissions by adding users to these ACGs.

Custom ACGs

In addition to system-generated groups, administrators can create custom ACGs to control site access more granularly. For example, you might have:

• Manage sites ACG – Allows a user to manage sites for “Manufacturing” and “Retail.”

• Adds sites ACG – Allows a user to only create sites for those audiences.

Site creation & membership changes

• Attach audience while creating a site:

  • Attach audience(s) at the time of creation.

  • Max viewable audience or target audience of the site is based on the creator’s ACG.

  • As explained earlier Feature owner, admin and managers of Add site and Manage site ACGs will be able to create sites.

• Maximum viewable audience/Target audience:

  • The max audience for a site is determined at the time of creation, based on the creator’s ACG.

  • This audience defines who can discover or view the site.

  • After site creation, Feature owner, admin, managers can modify the max audience, but only if they have the right ACG permissions.

• Edit site audience:

  • The Edit site operation supports updating the audience associated with the site.

  • However, users can only assign audiences for which they have permissions via their ACGs.

  • Changing a site’s audience impacts:

    • User visibility and access to the site

    • Content visibility

  • Only users with Manage site permissions via ACGs can change the audience.

  • Site managers, site owners, content managers of the sites will not able to change the target audience of the site.

  • If a change would cause another Manager/Admin to lose access, a visual warning is shown for the same.
    

Example: Creating a site as an ACG member

Let’s look at how a user, Amber Rich, with permissions to manage “Manufacturing” and “Retail” sites, can create a new site:

1. Login as Amber Rich. Amber can view and manage existing sites tied to her ACG.

2. Create a site. Navigate to Manage > Sites, then select Create site.

3. Site access types. You can now select either:

   • Public site: Visible to all users within the target audience

   • Private site: Discoverable by users in the audience but requires membership to access content

   Note:

   Unlisted sites are no longer supported. Their functionality is replaced by the target audience setting.

1. Set the target audience. Amber will only see the audiences assigned to her ACG (e.g., "Retail" and "Manufacturing"). This ensures she cannot create sites for unapproved groups.

Subscription and audience management

While creating the site, you can configure Subscriptions. Subscriptions are used to automatically assign an audience to site membership or to follow a site or person.

• Add members or followers to the site based on the selected target audience

• Only users within the chosen audience can be added

• You can also define sub-audiences for more specific targeting

Adding content with audience controls

When creating content within a site, you can configure:

Must reads

• Select any audience or sub-audience to receive a must-read alert

• Site creation automatically generates system audiences (e.g., site members, followers) that can be used in this configuration

Notifications

• Send notifications to:

  • Site’s system-generated audiences (members, followers)

  • Target audiences or sub-audiences (coming soon for public sites)

System audience hierarchy

Every site has automatically generated system audiences such as:

• Site managers

• Members

• Followers

These can be reused across other features, such as newsletters, to target site-specific users effectively.

Summary

Access Control Groups provide a secure, flexible way to manage site visibility and permissions. With clearly defined roles and audience restrictions, you can streamline intranet content creation and prevent unintentional exposure of internal information.