1. Introduction
Hybo allows you to manage user access and capabilities through roles, groups, and scopes (ambits).
In addition, Hybo combines two group sources to grant permissions:
Azure Entra ID Groups → Corporate groups managed from the customer’s Microsoft tenant.
Hybo B2C Groups → Internal groups managed from the Hybo Administration Panel.
This document explains how each system works, how they affect platform permissions, and how they should be properly managed.
2. Key permission concepts in Hybo
Hybo uses a simple hierarchical relationship:
Roles → Groups → Users
A role defines which actions a set of users can perform.
A group brings together users who share the same behavior or permissions.
Users belong to one or more groups, and each group has one or more roles assigned.
As a result:
You do not assign permissions directly to users → permissions are assigned to groups.
You do not assign groups to roles → roles are assigned to groups.
Users inherit permissions from the groups they belong to.
3. Group types in Hybo
Hybo works with two types of groups:
3.1. Azure Entra ID Groups (Corporate)
✔️ Managed in Azure, not in Hybo
✔️ Mainly used when the customer uses Microsoft SSO
✔️ Hybo only consumes this information during login
✔️ They enable advanced functionalities:
Module permissions
Permissions by site or building
Algorithm preferences (parking, desks, etc.)
Group-based penalties
Advance booking
Granular administrator management
How they work:
The user signs in with Microsoft.
Hybo asks Azure whether the user belongs to any group configured for Hybo.
If yes, Hybo allows access and creates or updates the user in its internal database.
If not, access to Hybo is denied.
Important note about guest users (Microsoft Guest Users)
Guest users (“B2B Guest Users”) can sign in only if:
They have been correctly invited to the customer’s tenant.
They belong to valid Entra ID groups configured for Hybo.
Login types:
Microsoft: the external company has permanently authorized Hybo as a corporate app in its tenant.
Custom: users must complete account creation when they receive the guest invitation email.
Important:
Guest users cannot use Microsoft SSO to access Hybo unless their organization explicitly authorizes Hybo as an application.
By default → they must log in using Custom Login (Hybo B2C).
3.2. Hybo B2C Groups
✔️ Managed directly in Hybo → Permissions → Groups
✔️ Independent from the customer’s corporate system
✔️ They enable advanced functionalities:
Create as many groups as needed from the Admin panel
Module permissions
Permissions by site or building
Algorithm preferences (parking, desks, etc.)
Group-based penalties
Advance booking
Granular administrator management
How they work:
Users must log in at least once to be added to a group and stored in Hybo’s database.
By default, users are assigned to the “User” group.
If Admin permissions are required, this must be manually updated in the ADMIN panel.
Users are manually assigned to these groups within Hybo.
Important:
Group and permission assignment in Hybo B2C has zero dependency on Azure Entra ID.
3.2.1 Create and manage Hybo B2C Groups
📍 Path:
Permissions → Groups
To create a group:
Click Add Group
Define:
Prefix (technical name)
Display Name
Add users from the Users tab
(Optional) Enable Ambits (scopes)
Assign the corresponding roles
4. Ambits (Scopes)
Ambits allow you to restrict a group’s permissions by:
Office
Building
Specific module (e.g. Parking, Desk, Rooms)
Zones
Floor
📍 Where to configure them:
When editing a group → Basic Information tab → Add ambits
Examples
Group | Scope (Ambit) | Behavior |
Managers Barcelona | Office = Barcelona | Permissions apply only to that office |
Parking Supervisors Rome | Module = Parking, Office = Rome | They manage only the parking in Rome |
HR | Global | Full access to cross-department information |
5. Users: how they are assigned and which permissions they inherit
Users do not have individual permissions.
They always inherit permissions from the groups they belong to.
📍 To assign users:
Permissions → Groups → Edit Group → Users
Key rules
A user can belong to multiple groups.
The combined roles of those groups define the user’s final permissions.
The first time a user logs in (Microsoft, Google, or Custom), the user is internally created in Hybo’s database.
If a user is removed from a group → they must log in again to lose the permissions, or the permissions will be automatically refreshed after 1 hour.
If a user is removed from the Microsoft tenant → they will not be able to log in, even if they still belong to a Hybo B2C group.
6. Guest user behavior
This is the recommended approach when:
An external company participates occasionally.
A provider needs temporary access.
6.1 Guests via Entra ID Groups with Microsoft SSO Login
✔️ Guests can log in to Hybo only if:
They were invited to the customer’s tenant.
They belong to an authorized Entra ID group.
The user’s company has authorized the Hybo application in its own tenant (see Microsoft App authorization).
✔️ Benefits:
External login security is handled by Microsoft or Google.
Group management is done through Entra ID.
How it works:
No additional invitation is required.
Users simply access app.hybo.app using Microsoft Login.
Important:
The user must be invited to the customer’s tenant and added to the authorized Entra ID groups in order to log in.
If the user’s company does not authorize Hybo, Microsoft login will fail.
For these cases, Custom Login is recommended.
6.2 Guests via Entra ID Groups with Custom Login
✔️ Guests can log in to Hybo only if:
They were invited to the customer’s tenant.
They belong to an authorized Entra ID group.
✔️ Benefits:
Avoids external IT dependencies.
The customer manages permissions through Entra ID.
No need to authorize Hybo as an application in the guest’s tenant.
How it works with authorized domains:
No invitation is required.
Users simply access app.hybo.app and sign up.
If the user is correctly configured in Entra ID with the appropriate groups and permissions, no further management is required.
COMING SOON – How it works without domain restrictions:
Invitation is required from admin.hybo.app.
An email is sent to the guest so they can log in and change their credentials.
Important:
If the environment has domain restrictions, make sure to add new domains.
If domains are restricted and cannot be added, contact [email protected].
6.3 Guests via Hybo Groups with Custom Login
✔️ Guests can log in to Hybo only if:
They were invited to the customer’s tenant, or
They sign up using an authorized domain.
✔️ Benefits:
This is the recommended method when:
You want to avoid external IT dependencies.
The customer does not want to manage guests in Entra ID.
There is no dependency on Microsoft or Google.
No application authorization is required.
Everything is fully managed within Hybo.
How it works:
Guests must be invited from admin.hybo.app or complete a sign-up.
An email is sent to the guest so they can log in and change their credentials.