π Permissions: Only Admins can configure Fine-Grained Access Controls. Admins automatically have full access to all records and Minis. Learn more about roles β
Fine-Grained Access Controls (FGA) give you detailed control over which users can see and edit specific records and Minis in your workspace. This replaces the previous Groups-based system with a more flexible, label-based approach.
This guide walks you through how FGA works, how to set it up, and what changes to expect from the previous permissions model.
What's changing
Previously, access was managed through Groups: you added users to a group, and that group had access to a set of Minis. Roles like Creator and Global Member determined what users could do.
With FGA, Groups are being replaced by Labels. Labels are more flexible β they let you control access at both the Mini level and the individual record level. Roles have also been simplified down to just two: Admin and Member.
Your existing permissions will be automatically migrated so that nothing changes until you're ready to make adjustments. The new system can replicate everything your current setup does, with the option to get more granular when you need to.
β
Understanding Labels
Labels are the building blocks of FGA. There are two types:
Record Labels
β
You're already familiar with these: labels like Assessment, Progress Note, or Sensitive that categorise records on a Mini's timeline. With FGA, record labels are now fully customisable. You can rename them, choose a colour, and pick an icon to make them easy to identify at a glance.
Mini Labels
These are new. Mini labels let you categorise your Minis themselves β for example, by location, house, program, or service type.
Mini labels replace what Groups used to do: if you were using Groups to control which users could see which Minis (e.g., by house or location), you'll use mini labels for this going forward.
Label Groups
Both record labels and mini labels can be organised into Label Groups: a way to bundle related labels together. For example, you might have a "Location" group for mini labels containing North House, South House, and Central Office, or a "Record Type" group for record labels containing Progress Note, Assessment, and Care Plan. Label groups make it easier to manage permissions at scale, especially in larger workspaces with many labels.
How permissions work
Permissions are assigned per user. For each user, you have two approaches:
β
Option 1: Workspace-wide access
The simplest option. You can give a user blanket access across the workspace:
All Records: the user can view or edit all records, regardless of their labels
All Minis: the user can access every Mini in the workspace
For each, you choose whether they get View access (read-only) or Edit access (which also includes creating, archiving, and managing records).
This is similar to how permissions worked before: if your team currently has access to all Minis and records, this is the option you'd use.
β
Option 2: Per-label access
This is where the fine-grained control comes in. Instead of blanket access, you configure access for each label individually. For example, you might give a user:
Edit access to Progress Notes
View access to Assessments and Care Plans
No access to records labelled Sensitive
β οΈ Important: If you choose per-label access, you need to configure every label β not just the ones you want to restrict. Any label without a permission set means the user won't have access to records with that label.
How labels interact on a record
A single record can have multiple labels β for example, a record might be tagged as both Assessment and Sensitive.
For a user to access that record, they need permission for all of its labels. If a user has access to Assessment but not Sensitive, they won't be able to see that record.
If a user has different permission levels across a record's labels (e.g., Edit on one label and View on another), the most restrictive permission applies β so they'd get View access only.
Records and Minis synced from external systems
If your workspace includes records or Minis that are synced from an external system, the labels on those items cannot be edited directly in Minikai. This is because the external system is the source of truth, and allowing manual label changes could cause conflicts during the next sync.
You can still manage user permissions as normal: you control which users have access to which labels, and those permissions apply to synced records and Minis just like any other. The only difference is that the labels themselves on synced items are managed by the integration rather than by you.
We'll work with you to make sure the right labels are set for both your existing synced records and Minis, as well as any new ones that come through in future syncs. This way your permissions will apply correctly from day one, without any manual upkeep on your end.
Simplified roles
FGA simplifies roles down to two:
Admin: Full access to all records and all Minis, plus the ability to manage workspace settings, labels, and user permissions. Admin access cannot be restricted.
Member: Access is determined entirely by the labels assigned to them. Members see only what they've been given permission to see.
Previous roles like Creator and Global Member will no longer exist. If you had users in those roles, they'll be transitioned to the Member role with equivalent permissions during migration.
Managing user permissions
You manage permissions from the Users page in Workspace Admin. Select a user to view and configure their label assignments.
Bulk actions
To save time when managing large teams, you can filter users by job title, select multiple users at once, and apply permission changes in bulk. This is especially useful if you have many users in the same role who need identical access.
β
β
New users
When a new user joins your workspace, they start with no label assignments: they won't have access to any records or Minis until an Admin configures their permissions. Unlike the previous Groups system, you can now assign permissions before the user has logged in for the first time.
What happens to my current setup
Your current permissions will be carried over automatically. The migration is designed to replicate your existing access rules exactly: when FGA is enabled, your users will see and do the same things they could before.
FGA will initially be enabled behind a feature flag, meaning your workspace will continue to use the current permissions model until we switch it over. We'll work with you to review your setup and make sure everything looks right before going live.
π‘ Tip: Before migration, it's worth reviewing your current user roles and group assignments to make sure they're accurate. If any users have incorrect roles or are in the wrong groups, now is a good time to clean that up so the migration is as smooth as possible.
Directory sync and job titles
If your organisation uses directory sync, job titles can be imported automatically and used to help manage permissions. This makes it easier to assign permissions consistently, even when job title naming varies across your directory.
Full directory sync support for FGA (including automatic label assignment for new users and user group management) is on our roadmap and will follow the initial release.
Coming soon
FGA is launching as an MVP with the core functionality described above. Here's what's coming next:
User Groups: group users together and assign labels to the group, rather than managing permissions one user at a time
Workspace Agent support: use the Workspace Agent to query, diagnose, and manage permissions through conversation
Default labels for new users: set default label assignments so new users automatically get baseline access when they join
Full directory sync integration: automatic label assignment based on directory attributes
Need help?
FGA is a significant change, and we want to make sure you're comfortable with it. One of our team will walk you through the setup for your workspace, and we're happy to do a live session with your admin team to answer any questions.
You can also reach us anytime through the Help Desk in the bottom corner of Minikai, or email us at [email protected].