There may be occasions where each group will need different security settings. Don't worry, this is super easy in Rock. To secure a specific group, find the group in the group viewer (People > Group Viewer). On the group details page, you'll find the same ti ti-lock button. Clicking this button will bring up the Rock security dialog where you can adjust the security settings. Groups have a special Manage Members security tab. Anyone with Manage Members security can add, edit and delete group members, but they can't edit or delete the group itself. If no permissions are listed under Manage Members, it doesn't mean that members can't be managed. Anyone with Edit access has Manage Members access by default. Also, group Leaders can manage members even if no Manage Members permissions are set or if they don't have Edit permission. Note the inherited permissions at the bottom of this screen. Inherited security is a very powerful concept with groups. By default, a group will inherit the security of its parent groups and group type. This limits the amount of security configuration each group requires. These inherited rights are only a starting point. You can either build on top of these permissions or override them. The choice, and power, is up to you. At first you may be tempted to go overboard with your group's security settings. In general, it's best to keep them simple. For instance, in the case of home-based Bible studies you may be tempted to secure each group differently to only allow the leader to edit them. While in certain cases you may need to do this, you could also secure all groups with a generic Small Group Leader role. You could then limit which groups a leader was able to navigate to through the configuration of your leader toolbox blocks. Group Creator Security In older versions of Rock, the person who created a new group would automatically have Administrate permissions for the group they added. This behavior can now be controlled via block settings. The Group Detail block has a setting called Add Administrate Security to Group Creator. When this is set to "Yes" then the person who created the group will automatically have the security permission to Administrate the new group being added. The default value for this setting is "No", which means the person creating the group will not be able to administrate the group unless they have permissions from another role that would allow them to do so. If you started off on an older version of Rock, this won't retroactively impact security permissions for any existing groups. Group Member Roles Group member roles play an important part in how groups are secured. Each role can be configured to provide View and / or Edit rights. This is configured under Admin Tools > Settings > General > Group Types. Inherited Permissions When determining the security of a group it’s important to consider not only the specific permissions of the group but also the inherited permission rules. The inheritance rule for groups is: Current Group > Group Type Security > Parent Group Security > (continue up the hierarchy until it reaches the root group) > Group EntityType Security > Global Default. The primary inheritance rules come from the group’s hierarchy, but the system has a built in ‘choke point’ check on the security of the group type first. Why is this? Adding a quick check of the group type's security allows specific types of groups to have unique security considerations. Take for example a group type for ‘Addiction Classes’. Adding a check for the group type's security allows a way for limiting visibility to these groups without having to worry about inconsistencies in the security of the group hierarchy. In most cases the group type will not have specific security so this check will not matter, but it’s there if you need it. If when checking the group’s security, the person is blocked access there’s still one last check to be done. Roles defined on the group type can be configured to provide access to the group. For instance, you can configure the leader of a group to have view/edit rights to that group. Likewise, the member of a group could be set up to have view access. This allows a very simple and flexible way of providing access to external individuals.