Individual users have roles and permissions assigned to them that define what actions they can take and to which vaults they have access. You can create groups of users and assign roles and permissions to the group. As a member of a group, a user has all the permissions and roles assigned to the group. By default, every new user is added to a group called Everyone. The Everyone group is only available on an Access Control Lists. It does not appear in the Groups dialog box. If the Everyone group is granted membership to a folder, all new users have access to that folder
Groups can be comprised of users or other groups. Groups can be disabled, turning off all permissions assigned to the group. The permissions and roles assigned to a group are independent of individual user roles and permissions. Groups can also be restricted to specific folders within a vault, so you can keep projects and other data secure between groups.
By assigning users to groups and then granting folder membership to those groups, you can easily manage users and their access to vault folders. This is the best practice for creating a vault security model.