Workspace access should follow responsibility. Give each person enough access to complete assigned work while limiting unrelated client, finance, communication, and administrative visibility.
For the invitation and client-assignment workflow, see Invite a member and configure access.
Plan access by responsibility
List what each role needs to view, create, update, approve, export, or administer. Configure access from those responsibilities instead of copying a broad role simply because it already exists.
Use client-scoped access
Client-scoped access is useful for account managers, contractors, and other team members who should only see assigned clients and the work inherited from those clients.
Review the entire inherited workflow: projects, tasks, schedules, files, messages, requests, and billing can contain different levels of sensitive information.
Separate work from administration
Someone who delivers client work may not need access to workspace configuration, subscriptions, team management, broad reporting, or finance. Keep administrative access narrow and review it when responsibilities change.
Test the actual experience
After configuring a role, test with an account that represents that role. Confirm both sides:
- The person can complete every required workflow.
- The person cannot open unrelated clients or restricted modules.
Review access regularly
Review permissions when a teammate joins, changes roles, stops working with a client, or leaves the organization. Enterprise audit trails can help authorized administrators understand relevant changes and activity.
Troubleshoot an access denial
If a user sees an unexpected access message:
- Confirm the active workspace and account.
- Verify the role and module permission.
- Check client assignment when access is client-scoped.
- Refresh the application after the permission change has been saved.
- Contact support with the user role, page, and expected action if access remains incorrect.
Next step
Invite a member, choose a role, and configure client access.