Dyn Managed DNS access permissions are set up based on a user’s group membership, set for a specific user individually, or both. When your account is created, you determine a person to be the Full Administrator on the account. The Full Administrator user has access to manage all zones, users, groups, records, services, etc. and can delegate access to users by creating user accounts and groups then assigning permissions at the group level, the user level, or both.

When you create a new zone, the following users are granted access permissions to the zone by default:  all users in the ADMIN group, the user with Full Administrative rights, and any user granted access to All Zones.

The relationship between groups and users can be explained as follows:

A Group

Click here to create or manage a group.

can contain Users and other Groups, applies permissions rules to those users and groups Group permissions are cumulative. If a user has membership in more than one group, the sum of all permissions allowed to all the groups are allowed to the user.
A User

Click here to manage a user.

belongs to a Group, inherits permissions from the group membership, and may be assigned permissions individually User specific permissions override group permissions. Regardless of the permissions allowed to the user, a user specific permission will override the group permissions.
Click here for tables of all permissions and group defaults.

See also: Managed DNS User Types.