PascalLike
diff --git a/‎docs/manual/docs/administrator-guide/managing-users-and-groups/creating-group.md‎
Lines changed: 40 additions & 0 deletions b/‎docs/manual/docs/administrator-guide/managing-users-and-groups/creating-group.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎docs/manual/docs/user-guide/describing-information/creating-metadata.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/manual/docs/user-guide/describing-information/creating-metadata.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/manual/docs/user-guide/describing-information/importing-metadata.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/manual/docs/user-guide/describing-information/importing-metadata.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/manual/docs/user-guide/publishing/managing-privileges.md‎
Lines changed: 6 additions & 1 deletion b/‎docs/manual/docs/user-guide/publishing/managing-privileges.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎docs/manual/docs/user-guide/publishing/transferring-privileges.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/manual/docs/user-guide/publishing/transferring-privileges.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎domain/src/main/java/org/fao/geonet/domain/Group.java‎
Lines changed: 32 additions & 0 deletions b/‎domain/src/main/java/org/fao/geonet/domain/Group.java‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎domain/src/main/java/org/fao/geonet/domain/GroupType.java‎
Lines changed: 24 additions & 0 deletions b/‎domain/src/main/java/org/fao/geonet/domain/GroupType.java‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎services/src/main/java/org/fao/geonet/api/groups/GroupsApi.java‎
Lines changed: 68 additions & 29 deletions b/‎services/src/main/java/org/fao/geonet/api/groups/GroupsApi.java‎
Lines changed: 68 additions & 29 deletions
@@ -30,10 +30,50 @@ Additional settings:
 - **Editing**: Specifies which groups can edit the metadata record.
 - **Notify**: Determines which groups are notified when a file managed by GeoNetwork is downloaded.
 
+## Group Type
+
+Administrators can define the type of group being created. There are three group types available, each with specific characteristics and use cases:
+
+### 1. Workspace Group
+
+- **Description**: This is the default group type. It allows the group to own metadata records and have privileges assigned to them.
+- **Use Case**: Suitable for groups that need full control over metadata records, including creation, import, and transfer.
+
+### 2. Record Privilege Group
+
+- **Description**: This group type can have privileges assigned to specific metadata records but cannot own metadata records.
+- **Use Case**: Ideal for groups that require access to metadata records without ownership rights.
+
+### 3. System Privilege Group
+
+- **Description**: This group type is used to manage system-level privileges. It cannot own metadata records or have privileges assigned to them.
+- **Use Case**: Designed for administrative purposes where system-level access is required without metadata ownership.
+- **Profiles**: Users are not assigned profiles in System Privilege Groups, since their purpose is to grant system-level privileges to all members. Instead, users in these groups are automatically given the Registered User profile behind the scenes.
+
+### Group Type and Operations Allowed Matrix
+
+The table below summarizes the operations allowed for each group type:
+
+| **Group Type**         | **Can Create Records in Group** | **Can Import Records in Group** | **Can Transfer Records to Group** | **Can Group Have Privileges on a Record** | **Group Has Profiles** |
+|-------------------------|:------------------------------:|:-------------------------------:|:---------------------------------:|:-----------------------------------------:|:-----------------------:|
+| **Workspace**           |               ✔               |               ✔                |                ✔                |                     ✔                     |           ✔           |
+| **Record Privilege**    |                               |                                 |                                   |                     ✔                     |           ✔           |
+| **System Privilege**    |                               |                                 |                                   |                                           |                       |
+
+!!! Note
+
+    - **Workspace Group**: Provides the most flexibility and is the default choice for most use cases.
+    - **Record Privilege Group**: Focused on access control without ownership.
+    - **System Privilege Group**: Reserved for system-level operations and does not interact with metadata records directly.
+
 ## Minimum user profile allowed to set privileges
 
 This setting allows administrators to control the minimum user profile required to assign privileges for a group. It provides enhanced control over who can manage sensitive privileges for users within the group.
 
+!!! Note
+
+    This setting is unset and disabled when the group is a **System Privilege Group**. System privilege groups do not have profiles and cannot have privileges assigned to them.
+
 ### Default setting
 
 By default, the **"Minimum User Profile Allowed to Set Privileges"** is set to **No Restrictions**. This means that any user with permission to manage privileges for a metadata record can assign privileges for users in this group.
 
@@ -7,7 +7,7 @@ This topic guides you through the process of adding new metadata records with as
 To add or edit metadata, the user:
 
 -   Must have an `editor` profile or higher.
--   Should be a member of a group you want to add information for.
+-   Should be a member of the [Workspace Group](../../administrator-guide/managing-users-and-groups/creating-group.md#1-workspace-group) you want to add information for.
 
 Contact your administrator if you don't have the correct profile.
 
@@ -25,7 +25,7 @@ Contact your administrator if you don't have the correct profile.
 
 !!! Note
 
-    If only one group is defined in the catalog, the default group is selected.
+    If only one group is defined in the catalog, the default group is selected. If a group is not a [Workspace Group](../../administrator-guide/managing-users-and-groups/creating-group.md#1-workspace-group) it will not be shown as an option in the list.
 
 Next steps:
 
 
@@ -37,7 +37,7 @@ The user should have an `editor` profile to access metadata.
     -   `Apply XSLT conversion` allows to transform the record loaded using an XSLT stylesheet. A list of predefined transformations is provided. The selected transformation should be compatible with the standard of the loaded record (see [Adding XSLT conversion for import](../workflow/batchupdate-xsl.md#customizing-xslt-conversion)).
     -   `Validate` trigger the validation of the record before loading it. In case of error the record is rejected and an error reported.
     -   `Assign to current catalog` assign the current catalog as origin for the record, in case the MEF file indicate another source.
-    -   `Assign to Group` define the group of the loaded record.
+    -   `Assign to Group` define the group of the loaded record. Only [Workspace Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#1-workspace-group) can be selected.
     -   `Assign to Category` define a local category to assign to the loaded record.
 
 3. Click `import` to trigger the import. After processing, a summary is provided with the following details:
 
@@ -4,6 +4,10 @@ To manage privileges to your metadata record and any attached data, you will nee
 
 For example, you can specify that the metadata and related services are visible to all (Internet users) or just to internal users only (Intranet). Privileges are assigned on a per group basis. Depending on the user profile (Guest, Registered User, Editor, Admin etc.) access to these functions may differ on a per user basis.
 
+!!! Note
+  
+    [System Privilege Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#3-system-privilege-group) are special groups which cannot have privileges set for specific metadata records.
+
 ## Assigning privileges
 
 To assign privileges, follow these steps:
@@ -85,6 +89,7 @@ You can set privileges on a selected set of records in the search results using
 
 The following rules apply:
 
--   the groups are those that the user belongs to
+-   If the "[Only set privileges to user's groups](../../administrator-guide/configuring-the-catalog/system-configuration.md#metadata-privileges)" setting is set, only the groups the user is a member of will be shown in the list.
+-   [System Privilege Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#3-system-privilege-group) are not shown
 -   the privileges specified will only be applied to records that the user has ownership or administration rights on - any other records will be skipped
 -   the current records privileges will be reset and replaced by the selected privilege
@@ -21,3 +21,7 @@ How to open the Transfer Ownership page
         The drop down is filled with all Editors visible to you. If you are not an Administrator, you will view only a subset of all Editors.
 
     -   **Select group**: Select one of the groups this user is a member of. Privileges to groups All and Intranet are not transferable.
+
+    !!! Note
+
+        Ownership of metadata records can only be transfered to [Workspace Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#1-workspace-group). Other group types will not be shown in the list.
@@ -87,6 +87,7 @@ public class Group extends Localized implements Serializable {
     private List<MetadataCategory> allowedCategories;
     private Boolean enableAllowedCategories;
     private Profile minimumProfileForPrivileges;
+    private GroupType type;
 
     /**
      * Get the id of the group.
@@ -371,4 +372,35 @@ public Group setMinimumProfileForPrivileges(Profile minimumProfileForPrivileges)
         this.minimumProfileForPrivileges = minimumProfileForPrivileges;
         return this;
     }
+
+    /**
+     * Get the type of the group.
+     *
+     * @return the type of the group.
+     */
+    @Enumerated(EnumType.STRING)
+    public GroupType getType() {
+        return type;
+    }
+
+    /**
+     * Set the type of the group.
+     *
+     * @param type the type of the group.
+     * @return this group entity object.
+     */
+    public Group setType(GroupType type) {
+        this.type = type;
+        return this;
+    }
+
+    /**
+     * Check if this group is a workspace group.
+     *
+     * @return true if this group is a workspace group.
+     */
+    @Transient
+    public Boolean isWorkspace() {
+        return GroupType.Workspace.equals(type);
+    }
 }
@@ -0,0 +1,24 @@
+package org.fao.geonet.domain;
+
+/**
+ * Enum representing different types of groups in the system.
+ */
+public enum GroupType {
+    /**
+     * Represents a workspace group type.
+     * Workspace groups can create, import, and own metadata records as well as be assigned privileges for specific records.
+     */
+    Workspace,
+
+    /**
+     * Represents a record privilege group type.
+     * Record privilege groups can be assigned privileges for specific records but cannot own metadata.
+     */
+    RecordPrivilege,
+
+    /**
+     * Represents a system privilege group type.
+     * System privilege groups are for system permissions only; they cannot own metadata or be assigned privileges for specific records.
+     */
+    SystemPrivilege
+}
@@ -474,39 +474,78 @@ public void updateGroup(
             description = API_PARAM_GROUP_DETAILS
         )
         @RequestBody
-            Group group
+            Group group,
+        @Parameter(hidden = true)
+            ServletRequest request
     ) throws Exception {
-        final Optional<Group> existing = groupRepository.findById(groupIdentifier);
-        if (!existing.isPresent()) {
-            throw new ResourceNotFoundException(String.format(
-                MSG_GROUP_WITH_IDENTIFIER_NOT_FOUND, groupIdentifier
-            ));
-        } else {
-            if(group.getName().length() > GROUPNAME_MAX_LENGHT) {
-                throw new IllegalArgumentException(String.format("Group name cannot be longer than %d characters.", GROUPNAME_MAX_LENGHT));
+
+        Locale locale = languageUtils.parseAcceptLanguage(request.getLocales());
+
+        final Group existingGroup = groupRepository.findById(groupIdentifier)
+            .orElseThrow(() -> new ResourceNotFoundException(String.format(
+                MSG_GROUP_WITH_IDENTIFIER_NOT_FOUND, groupIdentifier)));
+
+        if (group.getName().length() > GROUPNAME_MAX_LENGHT) {
+            throw new IllegalArgumentException(String.format("Group name cannot be longer than %d characters.", GROUPNAME_MAX_LENGHT));
+        }
+
+        if (!GROUPNAME_PATTERN_REGEX.matcher(group.getName()).matches()) {
+            throw new IllegalArgumentException("Group name may only contain alphanumeric characters "
+                + "or single hyphens. Cannot begin or end with a hyphen."
+            );
+        }
+
+        GroupType existingGroupType = existingGroup.getType();
+        GroupType newGroupType = group.getType();
+
+        // If changing a workspace group to a non-workspace group
+        if (existingGroupType == GroupType.Workspace && newGroupType != GroupType.Workspace) {
+            // Check if the group owns any metadata
+            final long metadataCount = metadataRepository.count(where((Specification<Metadata>)
+                MetadataSpecs.isOwnedByOneOfFollowingGroups(Arrays.asList(group.getId()))));
+            if (metadataCount > 0) {
+                throw new NotAllowedException(messages.getMessage("api.groups.unset_workspace.owns_metadata", new
+                    Object[]{group.getName()}, locale));
             }
+        }
 
-            if (GROUPNAME_PATTERN_REGEX.matcher(group.getName()).matches() == false) {
-                throw new IllegalArgumentException("Group name may only contain alphanumeric characters "
-                    + "or single hyphens. Cannot begin or end with a hyphen."
-                );
+        // If changing a group to a system group
+        if (existingGroupType != GroupType.SystemPrivilege && newGroupType == GroupType.SystemPrivilege) {
+            // Check if the group has any users associated with it that are not registered users
+            final long invalidProfileCount = userGroupRepository.count(UserGroupSpecs.hasGroupId(group.getId())
+                .and(Specification.not(UserGroupSpecs.hasProfile(Profile.RegisteredUser))));
+            if (invalidProfileCount > 0) {
+                throw new NotAllowedException(messages.getMessage("api.groups.set_system.invalid_profile",
+                    new Object[]{group.getName()}, locale));
+            }
+            // Check if the group has any privileges associated with it
+            final long operationAllowedCount = operationAllowedRepo.count(OperationAllowedSpecs.hasGroupId(group.getId()));
+            if (operationAllowedCount > 0) {
+                throw new NotAllowedException(messages.getMessage("api.groups.set_system.has_privileges",
+                    new Object[]{group.getName()}, locale));
             }
+        }
 
-            // Rebuild translation pack cache if there are changes in the translations
-            boolean clearTranslationPackCache =
-                !existing.get().getLabelTranslations().equals(group.getLabelTranslations());
+        // If the group is a system group, it cannot have a minimum profile for privileges
+        if (newGroupType == GroupType.SystemPrivilege && group.getMinimumProfileForPrivileges() != null) {
+            throw new IllegalArgumentException(messages.getMessage("api.groups.system_group_has_minimum_profile",
+                new Object[]{group.getName()}, locale));
+        }
 
-            try {
-                groupRepository.saveAndFlush(group);
-            } catch (Exception ex) {
-                Log.error(API.LOG_MODULE_NAME, ExceptionUtils.getStackTrace(ex));
-                throw new RuntimeException(ex.getMessage());
-            }
+        // Rebuild translation pack cache if there are changes in the translations
+        boolean clearTranslationPackCache =
+            !existingGroup.getLabelTranslations().equals(group.getLabelTranslations());
+
+        try {
+            groupRepository.saveAndFlush(group);
+        } catch (Exception ex) {
+            Log.error(API.LOG_MODULE_NAME, ExceptionUtils.getStackTrace(ex));
+            throw new RuntimeException(ex.getMessage());
+        }
 
 
-            if (clearTranslationPackCache) {
-                translationPackBuilder.clearCache();
-            }
+        if (clearTranslationPackCache) {
+            translationPackBuilder.clearCache();
         }
     }
 
@@ -545,14 +584,14 @@ public void deleteGroup(
     ) throws Exception {
         Optional<Group> group = groupRepository.findById(groupIdentifier);
 
+        Locale locale = languageUtils.parseAcceptLanguage(request.getLocales());
+
         if (group.isPresent()) {
             final long metadataCount = metadataRepository.count(where((Specification<Metadata>)
                 MetadataSpecs.isOwnedByOneOfFollowingGroups(Arrays.asList(group.get().getId()))));
             if (metadataCount > 0) {
-                throw new NotAllowedException(String.format(
-                    "Group %s owns metadata. To remove the group you should transfer first the metadata to another group.",
-                    group.get().getName()
-                ));
+                throw new NotAllowedException(messages.getMessage("api.groups.delete.owns_metadata", new
+                    Object[]{group.get().getName()}, locale));
             }
 
             List<Integer> reindex = operationAllowedRepo.findAllIds(OperationAllowedSpecs.hasGroupId(groupIdentifier),