With access groups, users can be organized into a hierarchical structure and assigned constraints and arbitrary session attributes.

A user can be added to a single group only, however they inherit the list of constraints and session attributes from all the groups up the hierarchy.

User access groups can be defined in the application code or at run time using the Administration > Access Groups screen. In the former case, create classes extending AnnotatedAccessGroupDefinition and add @AccessGroup annotations using the parent attribute to configure the hierarchy of groups. The classes must be located in the core module. For example: