> ## Documentation Index
> Fetch the complete documentation index at: https://wundergraphinc-brendan-add-sof-link.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Group Rules

> Configure the resources accessible to your groups.

A **group rule** defines the roles and associated resources that determine what group members and API keys can access, as well as the level of permissions granted.

<Frame caption="Group with no rules">
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/setting-viewer-access-rules.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=edd16c820cbbf3f658a0bb74a5ee9e56" alt="Cosmo Studio group configuration page showing viewer rules granting access to multiple resources." title="Setting viewer access rules" width="1540" height="818" data-path="images/studio/setting-viewer-access-rules.png" />
</Frame>

When a group rule doesn't have any explicit resources, the group will always have access to all resources within the organization.

In the same way, if a rule is limited to a single resource and that resource is deleted from the organization, the rule will fall back to granting access to all resources in the organization.

<Note>
  Unlike assigning specific resources, if a group doesn't have any rule assigned, this will result in the group effectively not having access to any resource.
</Note>

## Roles

You can assign multiple roles to a group using the `Add rule` button. If no group rules are configured, group members will not have access to any resources.

<Frame caption="Role selector">
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/selecting-user-role-for-wundergraph.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=e994b7d2dd219bdb19def67b667f7397" alt="Cosmo Studio role selector for a group showing organization roles like Admin, Developer, and API Key Manager." title="Selecting user role for wundergraph" width="1520" height="1114" data-path="images/studio/selecting-user-role-for-wundergraph.png" />
</Frame>

Each role type can only be added once per group. For example, you can assign the `Organization Admin` and `Organization Viewer` roles in the same group, but you cannot assign the same role type more than once. You could also add a `Graph Admin` role to that group, as long as each role type appears only once.

The order in which roles are assigned does not affect how access checks are performed. For example, given the following group:

<Frame>
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/wundergraph-rule-without-description.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=76df2e007999f80ef06f36df30dcedd0" alt="Cosmo Studio group rule editor showing roles for wundergraph without a description or namespace assigned." title="Wundergraph rule without description" width="1524" height="710" data-path="images/studio/wundergraph-rule-without-description.png" />
</Frame>

The members for this group will have **Admin** access to the `default` namespace and **Viewer** to the `test` and any other namespace that may exist in the organization.

If the namespace `default` is deleted, the **Admin** role is no longer scoped and will apply to all resources.

With this in mind, members of the following example will have **Organization Admin** access to all resources.

<Frame>
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/role-permissions-settings-page.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=306a7b3900ae578f4790b13d469d2352" alt="Cosmo Studio settings page showing role permissions for Admin, Developer, and API Key Manager roles." title="Role permissions settings page" width="1526" height="928" data-path="images/studio/role-permissions-settings-page.png" />
</Frame>

### Organization Roles

These roles apply at the organization level and cannot be limited to specific resources:

1. **Admin** — Full permissions to create and manage all services.
2. **Developer** — Read and write access to all organizational objects.
3. **API Key Manager** — Permissions to create, modify, and delete API keys.
4. **Viewer** — Read-only access to all organizational objects.

An organization **Developer** can manage namespaces and publish graphs. An **Admin** can do the same, plus manage organization-wide settings.

### Namespace Roles

1. **Admin** — Read and write access to assigned namespaces.
2. **Viewer** — Read-only access to assigned namespaces.

If no resources are assigned, the group is granted access to all namespaces in the organization. Groups with the **Admin** role will also be able to create new namespaces.

### Graph Roles

1. **Admin** — Read and write access to assigned graphs.
2. **Viewer** — Read-only access to assigned graphs.

Graph resources can be assigned in one of two ways:

* **Namespace**: Grants access to all graphs within the selected namespace, including permission to create new graphs.
* **Specific graphs**: Limits access to only the selected graphs.

If no graphs are explicitly assigned, the group will have access to all graphs in the organization. Groups with the **Admin** role will also be able to create new graphs.

<Frame caption="Graph resource selector">
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/rule-granting-full-access-to-resources.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=dd7b27afbb720472d0be070e791aa42c" alt="Cosmo Studio graph resource selector showing default and test namespaces with full access permissions." title="Rule granting full access to resources" width="1534" height="792" data-path="images/studio/rule-granting-full-access-to-resources.png" />
</Frame>

### Subgraph Roles

1. **Admin** — Read and write access to assigned subgraphs.
2. **Publisher** — Read and write access to assigned subgraphs, but cannot create new ones.
3. **Checker** — Grants read-only access to subgraphs as well as the ability to create subgraph checks.
4. **Viewer** — Grants read-only access to subgraphs.

Subgraph resources can be assigned similarly:

* **Namespace**: Grants access to all subgraphs within the selected namespace, including permission to create new subgraphs.
* **Specific subgraphs**: Restricts access to only the selected subgraphs.

If no subgraph resources are assigned, the group will have access to all subgraphs in the organization.

## Resources

<Frame caption="Graph resource selector">
  <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/rule-configuration-for-test-and-admin.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=8bf1e39d8e08f6f7cdcf3533e107fe03" alt="Cosmo Studio rule configuration screen for test and admin namespaces showing one selected rule." title="Rule configuration for test and admin" width="1780" height="1202" data-path="images/studio/rule-configuration-for-test-and-admin.png" />
</Frame>

Resources represent entities in your organization, including but not limited to:

* Namespaces
* Federated Graphs
* Subgraphs