# User Groups Stronghold employs Active Directory security groups to control access to the system and to the data. These groups allow for specific access and control over data. While we can create custom security groups for finer control over data, below are the typical groups provided at the outset of the environment. It is up to the discretion of the PIs to place users into specific groups and the PIs must assign data permissions to those groups. `sh__all` ← Membership in this group is required for access to the system. All individuals who need to access the system should be members of this group. Membership in this group does not mean access to the data is granted. It means the user has access to the system. For example, members of the `sh_datasci` group can access the `datasci` tenant's workstation(s) in Stronghold. `sh__admins` ← Members of this group have access to all data on this tenant and are members of all other security groups on the tenant. Members of this group can also create new folders/directories. Typically, only the PI is a member of this group by default. `sh__staff` ← Members of this group are typically permanent/vital members of the research team. Typically, PIs allow this group to access the majority/all data files. `sh__users` ← Members of this group are usually students/interns. Typically, PIs allow this group to access some of the data files (as needed). `sh__import_w` ← This group is used to transfer data into Stronghold. Members of this group can execute step 1 of the 2 step process for importing data. Members of this group can write to the transfer server from outside of Stronghold. `sh__import_r` ← This group is used to transfer data into Stronghold. Members of this group can execute step 2 of the 2 step process for importing data. Members of this group can read from the transfer server from inside of Stronghold, and pull the data down to Stronghold. `sh__export_w` ← This group is used to transfer data out of Stronghold. Members of this group can execute step 1 of the 2 step process for exporting data. Members of this group can write to the transfer server from inside of Stronghold. `sh__export_r` ← This group is used to transfer data out of Stronghold. Members of this group can execute step 2 of the 2 step process for exporting data. Members of this group can read from the transfer server from outside of Stronghold, and pull the data out of Stronghold. A PI can request to create a new security group and add users to the new group. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ccv.brown.edu/stronghold/access-and-security-groups/user-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.