How Allowed User Groups limits which records a group can see

Allowed User Groups is a setting on a VICIdial user group that decides which other user groups the members of this one are permitted to view, and possibly edit. A user group is the container that ties a team's records and people together. This single field is one of the most far-reaching access controls in VICIdial, because so much of the system can be scoped by group.

Far more than agent lists

It is tempting to read Allowed User Groups as just controlling which agents a manager can see. It reaches much further. User groups can restrict access to almost every part of the system: inbound DID (direct inward dialing) routes, phones, voicemail boxes, lists, and more all carry a group tag. The Allowed User Groups field is what gates whether a manager can touch records tagged to a given group.

So a regional manager whose group is only allowed to see its own user group will be blocked from another region's phones and DIDs, not just its people. That is the whole point: clean separation between teams that share one server.

The ALL option

The selectable list includes an ALL option. Choose it and the group's members can see and work with any record on the system, as long as their own user permissions allow that action. ALL does not grant new abilities by itself; it just removes the group fence. Senior admins usually sit in a group set to ALL, while frontline leads get a narrow list.

flowchart TD
  A[Manager opens a record] --> B{Record group tag}
  B --> C{In Allowed User Groups}
  C -->|ALL selected| E[Permit per user permissions]
  C -->|Listed| E
  C -->|Not listed| D[Hide or block record]

Notice the two-step check. The record's group has to be in the Allowed User Groups list, and the Agent or manager still needs the underlying permission to do the thing. Allowed User Groups never overrides a missing permission; it only ever narrows what is reachable.

Where it bites with data

This two-layer model is what lets several independent teams share one VICIdial server without stepping on each other. Think of a company that runs sales, collections, and support out of the same box. Each function gets its own user group, and each group's Allowed User Groups list is set to just itself. Now a sales manager can build and edit sales records all day and never even see the collections team's DIDs, phones, or lists. The separation is structural, not a matter of people remembering to behave.

Because lists are group-scoped too, this affects who can manage a given Lead list and the Lead records inside it. A manager outside the allowed groups will not see another team's lists at all. Plan your group layout around the teams that genuinely must stay separate, then set Allowed User Groups to match. A good rule of thumb is to start narrow and widen only when someone genuinely needs cross-team visibility, because loosening a list later is a deliberate, reviewable change while tightening it after a leak is damage control.

There is also a maintenance payoff. When access is scoped by group rather than per individual, onboarding a new manager is a one-step action: drop them in the right group and they inherit exactly the right record visibility. Offboarding is just as clean. You never have to chase down a dozen scattered per-record permissions, which is where access creep usually hides on systems that grow over a few years.

Note: this setting is broad enough that an over-tight list can lock a manager out of records they need, while an over-loose one quietly exposes another team's Campaign data. Change it deliberately and test with a real manager login afterward.

For how record scoping fits the full permission model, read our users and groups multi-team guide. The field's exact location is shown in how to modify a VICIdial user group.

Want multi-team record separation on a managed dialer? Start a VICIfast trial and get a hardened VICIdial live in under 40 seconds.