A User Group is simply a collection of Users.
Go to Security -> Access Controls. From there you will see a tree of User Groups and their respective Users. You can assign a User to a User Group by right-clicking on the User Group and either:
- Adding the User via the context menu item
- Editing the User Group and adding a User on the grid there
A quick clarification on which policies to use:
- Policies assigned on the Context Access tab should be based on the standard Administrator policy.
- Policies assigned on the Resource Group Access tab should be based on the standard Resource policy.
- Policies assigned on the Element Category Access tab should be based on the standard Element policy.
Users can have specific Roles within a User Group, should you choose. They can also exist in the User Group without a Role. Roles allow you to fine-tune your permissions more than in previous MODx versions.
Say you want to only allow Supervisors in the "HR Department" User Group access to some Resources; no problem. Just create a Role called "Supervisor", set its authority to some number below 9999 (let's say 3), and then add in the Users to the User Group "HR Department" (via the User Group editing screen), setting any would-be supervisors to the Supervisor Role.
Then, you'll just add a Resource Policy (the packaged-in-with-modx one will do fine) to the Resource Group you want to restrict access to. It will look something like this:
And you've got a role-based access permission! This specific ACL will limit all Resources (aka Documents) in the web context and in the resource group "TestResourceGroup4" to only Users in the "HR Department" User Group with at least a Role of Supervisor. Roles with lower authority numbers would also inherit access - say you had a Coordinator Role with an authority of 2; Users in this User Group would have access to this ACL as well.
When working with the modUser object in the MODX API, you can assign access permissions via modUser::joinGroup. Using this method, you can add a user directly to a User Group, and optionally assign a Role.