# Users & Groups
Managing users and groups in Data Mover Smart requires **Administrator privileges**. Users can be internal or external and can be created locally in Data Mover Smart or imported via LDAP. Groups help organize users and assign permissions efficiently.
All users listed in the **Users & Groups** section can connect to Data Mover Smart with their username and password.
## Local users and groups
Local users and groups are created internally within **Data Mover Smart** using the **Users & Groups** menu.
Local users and groups can be classified as:
* **Internal**: these users have access to the **Data Mover Smart dashboard**. They are assigned specific permissions and roles that define their capabilities within the system.
* **External**: these users can connect to a VFS of a **Data Mover Smart** server, using a specific protocol. These users do not have direct access to the dashboard. Permissions and roles cannot be assigned to external users.
### Creating local users
To create a new internal or external user:
1. Go to the **Users & Groups** section and click **New User**.
2. By default, users are **Internal**. To create an **external user**, select the **External** button.
3. Fill in the following fields:
* **Username** (required): Unique login name.
* **Password** (required): Login password. Minimum length: 8 characters
* **First Name / Last Name** (optional). If provided, these values appear in the chip at the top-right corner of Data Mover Smart. If left empty, the username is displayed instead.
* **Email** (optional).
#### Roles assignment (internal users only)
If the local user is internal, you can assign roles by clicking the **+** next to **Roles**.
This speeds up user setup and ensures that permissions are assigned consistently across all users belonging to the same role.
Roles must already exist. See the [Roles](/data-mover-smart/users-and-groups/roles.md) page.
When creating a new user, after assigning roles you must **save the user and reopen the user profile** to correctly display the permissions inherited from the assigned roles.
When editing an existing user, if you assign a new or different role, the corresponding permissions are loaded immediately.
#### Groups assignment (internal and external users)
For internal and external users, you can assign groups by clicking the **+** next to **Groups**.
In the Add Groups window, select the group, which must already exist.
See the [Creating local groups](#creating-local-groups) section below.
#### Permissions (internal users only)
For internal local users, you can manage permissions in the **Permissions** panel.
When creating a new internal user, **all available permissions are initially displayed**.
If one or more roles are assigned, the permissions associated with those roles are **automatically enabled**. These role‑based permissions are visually identified by a **blue permission chip** and by an indication in brackets showing the role they originate from.
Additional permissions can be enabled manually if required. Manually assigned permissions are displayed with an **light blue permission chip**.
{% hint style="warning" %}
**Important**: Permissions inherited from roles are fully visible **only after saving the newly created user and reopening the user profile**.
{% endhint %}
The permissions list can be filtered by typing all or part of the permission name in the Search field. You can also limit the view to **assigned permissions only** by clicking the  eye icon. When the icon changes to a closed eye only assigned permissions are shown. Click it again to display the full list of permissions.
When finished, click **Save** to confirm.
### Creating local groups
To create a new local group:
1. Go to **Users & Groups** and click the **Groups** tab.
2. Click **New Group**.
3. By default, groups are **Internal**. To create an **external group**, select the **External** button.
4. Enter a unique group name.
5. Add users via the **+** next to **Users**.
6. If the group is internal, in the **Permissions** panel you can select the permissions you want to assign to the group. All permissions are listed, and you can filter by typing part of the name in the field with the lens at the top. You can also type the category (e.g. GROUP) to filter permissions. You can also see only already assigned permissions by clicking on the icon. The icon becomes a closed eye and to list all permissions again, you must click on it. The permissions assigned to the group will be added to the permissions assigned to the user.
7. Click **SAVE** to confirm. The group will be enabled by default.
{% hint style="info" %}
Permissions assigned to a group are added to those assigned to individual users.
{% endhint %}
## LDAP users and groups
In Data Mover Smart, **LDAP users are internal users** and are automatically created or updated when they log in to Data Mover Smart via LDAP. LDAP user attributes (e.g., email, name) are imported and refreshed every time the user logs in to Data Mover Smart.
The password of the LDAP user is **never stored** in Data Mover Smart.
LDAP groups are imported as **internal groups**. They do not have permissions assigned by default but the administrator can go to **Users & Groups** and click the **Groups** tab to enable each group, grant permissions and associate them to users. LDAP group attributes are imported from LDAP and refreshed when updated in LDAP.
{% hint style="danger" %}
When new LDAP users log in to **Data Mover Smart** for the first time, their account and all related data will be loaded into **Data Mover Smart**. However, these users will not yet have access to the product. A warning message will appear, informing them that administrator authorization is required.\
The administrator must then navigate to **Users & Groups**, locate each user, and grant them the appropriate permissions.
{% endhint %}
### Administrator capabilities with LDAP
The administrator can view the LDAP users who have logged into Data Mover Smart and the groups imported from LDAP.
The following actions can be executed on LDAP users:
* Grant or remove permissions.
* Assign or remove local groups and Data Mover Smart roles.
Once an administrator assigns permissions to an LDAP user, they will operate with the granted permissions at their next login.
The following actions can be executed on LDAP groups:
* Enable or disable the group.
* Assign or remove local users.
* Grant or remove permissions.
## Editing and deleting users and groups
To edit a user or group (local or LDAP), click the user or group row and the **Edit** window will open. Apply the modifications needed and click the **Save** button.
To delete a user or group (local or LDAP), click the **three dots** next to their row and select **Delete**.
{% hint style="danger" %}
The **Admin** user and the **Guest** user cannot be deleted or modified.
{% endhint %}
## Filtering Users and Groups
Use the **Filters** panel to filter users by:
* First name / Last name
* Username
* Email
* Origin (Local or LDAP)
Use the **Search Groups** field to filter groups.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.primeur.com/data-mover-smart/users-and-groups/users-and-groups.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
icon. The icon becomes a closed eye