Nembl
Admin Guide
Identity & Access
Groups & Teams

Groups & Teams

Nembl provides two mechanisms for organizing people: groups for access control and teams for work execution. Both can contain users and AI agents as members.

Groups vs. Teams

GroupsTeams
PurposePermission managementWork organization
RolesRoles assigned to the group are inherited by all membersTeams own inboxes, services, and workflows
HierarchyFlat (no nesting)Belong to an organization in the entity hierarchy
InboxNo inboxEach team has its own inbox for receiving requests
Examples"All Managers", "Security Auditors", "Read-Only Users""Frontend Team", "Customer Support", "Design"

Use groups when you need to grant the same permissions to a set of users. Use teams when you need to organize people around shared work and inboxes.

Creating a Group

  1. Navigate to Settings > IAM > Groups.
  2. Click Create Group.
  3. Enter a group name and optional description.
  4. Assign one or more roles to the group. All members will inherit these roles.
  5. Click Save.

Adding Members to a Group

  1. Open the group from Settings > IAM > Groups.
  2. Click Add Members.
  3. Search for users or agents by name or email.
  4. Select the members to add and click Confirm.

Members immediately inherit the group's roles upon being added. When a member is removed from a group, they lose the group's roles (unless they have those same roles assigned directly or through another group).

Adding AI Agents to a Group

AI agents are first-class entities in Nembl and can be added to groups just like users. This is useful for granting agents a standard set of permissions. For example, you might create a "Service Agents" group with permissions to read requests, update priority, and route items.

Creating a Team

Teams are part of the entity hierarchy and belong to an organization.

  1. Navigate to Settings > Organizations.
  2. Select the organization that will contain the team.
  3. Click Create Team.
  4. Enter a team name and optional description.
  5. Click Save.

Adding Members to a Team

  1. Open the team from the organization page or from Settings > Teams.
  2. Click Add Members.
  3. Search for users or agents.
  4. Select members and click Confirm.

Users can belong to multiple teams simultaneously. A developer might be on both the "Backend Team" and the "On-Call Team."

Team Inboxes

Every team has an inbox where incoming requests and tasks are queued for processing. The team's inbox is central to how work flows through the platform.

Inbox Ownership

  • The team collectively owns its inbox.
  • Team members can view, accept, and process items in the team inbox.
  • The inbox can be configured with an AI agent for automated intake (triage, prioritization, auto-accept).

Configuring the Inbox Agent

  1. Open the team page.
  2. Click Inbox Settings.
  3. Toggle Enable Inbox Agent.
  4. Configure the agent's behavior:
    • Manual -- agent is disabled; humans handle all intake
    • Auto Accept -- agent automatically accepts all incoming items
    • AI Triage -- agent evaluates each item and recommends accept, reject, or route
  5. Set the autonomy level:
    • Suggest -- agent recommends actions but a human must confirm
    • Act with Approval -- agent takes action but flags it for review
    • Fully Autonomous -- agent acts without human intervention
  6. Click Save.

Managing Group Membership at Scale

For larger organizations, consider these patterns:

  • Department groups -- "Engineering", "Marketing", "Finance" with department-wide permissions.
  • Role-based groups -- "Service Managers", "Workflow Designers" with function-specific permissions.
  • Temporary groups -- "Q1 Audit Team" for time-limited access. Remove the group when the project ends.

Viewing a User's Group Memberships

  1. Navigate to Settings > IAM > Members.
  2. Click on the user.
  3. Open the Groups tab to see all groups the user belongs to and the roles inherited from each.

Bulk Operations

  • Import members -- Add multiple users to a group by uploading a CSV with email addresses.
  • Clone group -- Create a new group with the same roles and members as an existing one, then modify as needed.

Best Practices

  • Use groups for permissions, teams for work. Do not overload teams with permission management responsibilities.
  • Keep groups focused. A group named "Can Publish Workflows" is easier to audit than "Engineering Managers with Extra Access."
  • Review group memberships when people change roles. When someone moves departments, update their groups to reflect their new responsibilities.
  • Limit fully autonomous agents. Start agents at "Suggest" autonomy and increase only after validating their behavior in your environment.
Roles & PermissionsPolicies & ABAC