Restricted is a user role for people who should only see content explicitly granted to them, for example contractors, part-time staff, vendors, interns, or users in regulated jurisdictions. Where the standard PlusPlus model is open by default (regular users discover and self-enroll across the catalog), restricted users operate under a closed by default model: nothing is visible until access is granted explicitly.
This article explains what restricted users can and can't do, when to use the role, and how to assign it.
When to use the Restricted role
Use the Restricted role for any user who should only see content directly relevant to them, rather than the full platform catalog. Common reasons:
Contractors and vendors — third-party staff who should engage with specific onboarding, compliance, or project material but shouldn't browse internal learning content.
Part-time staff and interns — limited-tenure employees whose access should be scoped to the content their role requires.
Users in regulated jurisdictions — employees in regions where compliance constraints require explicit access grants and audit trails for any content exposure.
BYOD or low-trust accounts — users connecting from devices or contexts where you want to minimize incidental exposure to internal information.
If your default model already requires explicit assignment for most content, the Restricted role is overkill — it's most useful as an exception to a generally open environment, where you want certain users to see less.
What restricted users can and can't do
Capability | Regular user | Restricted user |
See content in the catalog | All visible content | Only content explicitly granted |
Browse channels | All public channels | Only channels they're granted access to |
Discover events | Yes | Only events they're granted access to or facilitating |
Discover coaching/mentorship programs | Yes | Only programs they're granted access to or facilitating |
Self-enroll in content | Yes (within visibility rules) | Only in content they were already group-granted access to |
Be assigned content | Yes | Yes |
Receive direct assignments | Yes | Yes |
Create content (events, articles, videos, courses, etc.) | Yes (if enabled) | No |
Create coaching sessions | Yes (if enabled) | No |
Act as facilitator on content | Yes | Yes — facilitator role still works |
Restricted users gain visibility through three paths:
Group membership. When the user is a member of an internal group that has been granted access to specific content, channels, or programs.
Direct assignment. When content is assigned to the user individually.
Facilitator role. When the user is set as a facilitator (organizer, co-organizer, presenter, maintainer) on a specific content item.
Outside of these three paths, the user sees nothing. A restricted user who isn't yet a member of any group and has no assignments will land on a largely empty platform — including a "No Channels available" state on the channels page.
How the Restricted role is assigned
There are two confirmed paths to assign the Restricted role today:
Manual assignment via user profile
From any page in PlusPlus, click your profile menu in the top right and go to Dashboard, then open the People dashboard.
Find the user and click their name to open their profile.
Click the kebab menu (⋮) on the profile and select Edit.
Scroll to Admin Settings and select Restricted from the role dropdown.
Save.
This is the simplest path for one-off changes — for example, marking an existing contractor as restricted.
Automatic assignment via SCIM
For organizations using SCIM provisioning, the Restricted role can be assigned automatically based on a SCIM payload attribute. On every SCIM sync, users matching the configured expression are flipped to restricted; users no longer matching are flipped back to regular.
This is the recommended path when restriction status is determined by data already in your IdP or HRIS — for example, a WorkerType attribute that distinguishes contractors from full-time employees.
To configure the SCIM expression, see the Restricted-role indicator field documented in People Integration: SCIM.
Automatic assignment via Workday or other people integration methods
The Restricted role can also be assigned automatically through any other people integration method — Workday or a Custom Integration — using the same is_restricted attribute mapping. Once a people integration source is in place, the assignment logic works identically regardless of how the data was obtained: a path expression resolves to a truthy value, and the user is flipped to restricted on the next sync.
For configuration details, see People Integration: Attribute Mapping.
Interactions with other roles
The Restricted role replaces the Regular role for the user. A user is either regular or restricted — not both.
Users with elevated platform roles (Admin or System Organizer) are not affected by the Restricted-role indicator field on SCIM sync. To restrict an existing admin or organizer, first downgrade their role manually.
Restricted users can still be facilitators on individual content items. A contractor invited to present at an event remains restricted everywhere except the event they're presenting.