I guess I'm a little obsessed with the Group module, or maybe it's just that I've been using it a lot lately, and still learning its ins and outs.
One of the main purposes of Group is to control user access to various content types, based on what Group(s) the viewing user and content are in. Each Group type has an extensive permissions table where you can control permissions for anonymous users, outsiders (registered users who are not in the Group), and members (registered users in the Group). There is also an Advanced Outsiders permissions table where you can set those permissions by user role for non-Group members.
What I'm interested in today is how to control access to content using the Group module. This is a common requirement, but the module is a bit complicated and there are some gotchas.
First, the content type must be installed to each Group type you want it to be able to be added to, at /admin/group/types/manage/[GROUPTYPE]/content.
Next, Group permissions must be set for who can view the content. (There are also edit, delete, and add permissions, but for this post I'm interested specifically in viewing). These permissions are under the "Group Node" heading, and there is a permission set for each content type which has been installed to the Group type, e.g. "Group node (Page)".
The two permissions we're mainly interested in are "Entity: View any content item entities" and "Relation: View any entity relations".
"Entity: View any content item entities" controls whether the user can view the original Drupal content node (or Media item, or Webform, or whatever entity). If a piece of content is in a Group, and a particular user role has not been granted this permission, they will not be able to see the content. This is true even if their role has the "View published content" permission in the core Drupal permissions table.
"Relation: View any entity relations" controls whether the user can see the relation between the original content node and the Group. This is a slightly unusual concept, but when a piece of content is added to a Group, a new entity is created which is the relationship between that content and the Group. As an entity, it can have its own fields, its own form display, and its own set of permissions. It is also referred to as "Group content".
Group content fields, display, and form display administration can be found at /admin/group/types/manage/[GROUPTYPE]/content; typically in a dropbutton next to each Group content type that has been installed.
By default, the Group content entity does not show fields from the original node. It will only show any fields that you have added to the relationship.
So what if you want to show data from the original node on the Group content? You have to go to the "Manage display" settings for that Group content type, enable the "Title" field, and under "Format", select "Rendered entity". Not very intuitive—I only recently realized that was possible.
You can then choose what view mode to use to display the content, or add a new one if desired (at /admin/structure/display-modes/view/add). In the original content type display settings, activate your custom view mode under "Custom display settings", customize it as desired, and then choose it in the Group content display settings.
Now recognize that in order for a user to see those fields on the Group content, they have to be given the "Entity: View any content item entities" permission, as well as the "View published content" core permission. That means they will be able to see the original nodes, which may not be what you want in all cases.
In my most recent use case, we wanted users in Client groups to be able to see some fields from reports, but not all. We needed to deny them access to the original report nodes and use a custom Client view mode to display only the fields they should see on their "report" Group content type.
Enter the Rabbit Hole module. Rabbit Hole is an incredibly useful module that creates redirects per content type. It's beyond the scope of this post, but I encourage you to check it out. After installing Rabbit Hole, in the edit form for each content type you can set what happens when that content type is viewed. The options are access denied, page redirect, page not found, or display the page. In my case, I set it to "access denied". That way, client users can see the fields from their reports on the Group content page, but they cannot access the original node. Any users who should be able to see that content can be given the "Bypass Rabbit Hole action" permission at the core Drupal permissions page.
It would be nice if the Group module made it possible both to display fields from the original content and control access to that content type. Maybe that's not possible, but I'd imagine it could be a not-uncommon use case. Maybe it is already possible, and I'm just not aware of it, in which case, I'd love for someone to enlighten me in the comments! Anyway, this was my recent use case, so I thought it could be helpful to someone.