What This Does
This guide explains how administrators should manage access safely and consistently.Important Access Rules
- Access management is organization-scoped.
- Users shown in
UsersandGrant/Revoke Accessshould belong to the active organization. - New users should have at least one role and at least one user permission before they are created.
- A user with no permissions should see a no-access message and should not see organization data.
- Users may need to sign out and back in after permission changes.
Steps
- Open the role management area.
- Review existing roles before creating a new one.
- Create a new role only when the access pattern is truly different.
- Assign the required permissions.
- Save the role.
- Assign the role to users at the organization or team level as needed.
- Use direct user permissions only when the user needs an exception to role-based access.
- Ask the user to sign out and back in if permission changes do not appear immediately.
Grant and Revoke Access
Only organization administrators should useGrant/Revoke Access. Non-admin users should not be able to open this area or load its access-management data.
Use Grant/Revoke Access when you need to adjust a user’s organization or team access without editing every role manually.
Before granting access, confirm:
- the user belongs to the active organization
- the role matches the user’s responsibilities
- the team scope is correct
- high-impact permissions are intentional
- the user no longer needs the permission
- the change will not break required approval, coordinator, or assignee workflows
- another user owns any active operational responsibility
Tips
- Prefer reusing a role over creating many near-duplicate roles.
- Use team-level role assignments when access should vary by team.
- Review high-impact permissions such as administration, automation, billing, integrations, AI, MCP, and governance carefully.

