Skip to content
English
Create Ticket
  • There are no suggestions because the search field is empty.

How to Use Groups

 Understanding Groups Overview

Groups in MedixSafe let you organize who can use which safes and related devices. A Group ties together:

  • Users who are allowed to access those devices
  • Devices (safes) those users may use
  • Optional settings for that slice of your organization—such as alert recipients and extra authentication (step-up) rules

Groups are the foundation for role-based access on larger accounts: stations, departments, regions, or hospital units can each have their own membership without giving every user access to every safe.

If you only have a few users and one safe, you may not need Groups at first. As you add sites and staff, Groups keep access control manageable and auditable.

What Groups Control

Physical access at the safe

For most day-to-day openings (card, PIN, fingerprint, and similar methods), the safe checks whether the user is allowed to use that device:

  • If the safe is assigned to a Group, the user must be a member of that same Group to be granted access.
  • If the safe is not assigned to any Group, users on the account are generally not restricted by Group membership for that device (other account rules still apply).

Global Administrators (account administrators) can access safes across the account according to administrator rules, even when they are not listed in every Group.

Group Administrators are limited to managing devices and users in Groups they belong to. For routine access at the keypad, a Group Administrator still needs to be a member of the Group that owns the safe—having the admin role alone is not enough.

Administrative scope in the console

Groups also define what Group Administrators can see and change in the Link console—devices, users, enrollment, Remote Authorize Open, and similar tasks scoped to their Groups. Global Administrators manage Groups themselves (create, delete, assign safes, change Group-wide settings).

Alerts and notifications

Each Group can have notification email addresses for events related to devices in that Group (for example, device warnings). Administrators can also use per-user notification preferences for certain alert types.

Extra authentication (step-up)

A Group may be configured with its own authenticator settings (for example, SMS step-up) that apply when users access devices in that Group. When set, Group settings can override the account default for those devices during access requests. If your organization uses step-up authentication, confirm whether it is configured at the account level, the Group level, or both.

How Groups Relate to Users and Devices

Concept

Behavior

Users in multiple Groups

A user can belong to more than one Group. They can access safes in any Group they belong to.

Safes in one Group

Each safe (device) is assigned to at most one Group at a time. Moving a safe to a new Group removes it from the previous one.

Users not in any Group

They can still exist on the account but will not get access to safes that are assigned to a Group—unless they are a Global Administrator or the safe has no Group.

Safes not in any Group

Not restricted by Group membership for access checks.

Think of a Group as a label on both people and hardware: access is allowed when the person’s label matches the safe’s label.

Typical Ways Organizations Use Groups

Examples:

  • Fire Station 12 — users and apparatus safes for that station only
  • Emergency Department — North Campus — ED staff and all ED narcotics safes
  • Fleet / logistics — a small set of users and mobile or depot safes

You might create Groups by location, shift, unit, or program—whatever matches how you delegate responsibility and review access logs.

Creating a Group

Who can do this: Global Administrator only (create, delete, and change Group structure such as which safes belong to the Group).

Who can help maintain membership: Group Administrators can add or remove users from Groups they belong to. They cannot create or delete Groups, reassign safes between Groups, or change certain Group details (description, logo, notification list, authenticator)—those require a Global Administrator.

Steps (Link console)

  1. Sign in as a Global Administrator.
  2. Open Group Management.
  3. Select Add Group.
  4. Enter a Group name and description (required).
  5. Optionally specify users or emails for Group-related alerts, then continue through the wizard.
  6. Select users to add to the Group.
  7. Select devices (safes) to assign to the Group.
  8. Review the summary and select Add Group.

The new Group appears on the Group Management screen. Assign any remaining users or safes later by editing the Group or using Device Management.

For the full console flow, see the Link install guide — Group Management.

Common Questions

Can one user access safes at two stations?
Yes. Add them to both Groups (or one Group that contains all safes they need, if your structure allows).

Why can a new hire not open the safe?
Check: (1) user is active, (2) credentials are enrolled, (3) user is in the same Group as the safe, (4) safe is enabled and online.

Why does a Group Administrator not see a safe?
The safe is likely in another Group, or the administrator is not a member of that Group.

Do we need Groups for a single safe and five users?
Optional. You can run without Groups, but creating one Group that contains all five users and the safe makes later expansion and delegated admin easier.

Troubleshooting

Issue

What to check

Access denied at safe

User in correct Group? Safe assigned to that Group? User and card active?

User sees wrong safes in console

Group Administrator role is scoped to their Groups only.

Cannot create a Group

Must be Global Administrator.

Cannot add a safe to a Group

Global Administrator assigns devices; safe may already belong to another Group.

Alerts not received

Group notify emails set? User notification settings enabled?

After reorganizing stations

Update Group membership for users and safe assignments.