Decision Site

Search documentation

Search for pages in the documentation

Managing Permissions

Best practices for role and permission management

Best practices for managing roles and permissions as your organization grows.

Core Principles

Principle 1: Least Privilege

What it means: Give people the minimum access they need to do their job.

Why it matters:

  • Reduces security risk
  • Prevents accidental changes
  • Makes troubleshooting easier
  • Limits damage from compromised accounts

How to apply:

  • Start with COLLABORATOR, upgrade to CREATOR only if needed
  • Limit ADMIN to 1-2 people
  • Use GUEST for all external users
  • Don't give team OWNER unless person manages team

Example:

text
Bad: Everyone is ADMIN "just in case"
Good: 2 ADMINs, 10 CREATORs, 5 COLLABORATORs

Principle 2: Role-Based Access

What it means: Assign roles based on job function, not individual requests.

Why it matters:

  • Consistent permissions across similar roles
  • Easier to onboard new team members
  • Predictable access patterns

How to apply:

  • Define standard roles for each job function
  • Document which role goes with which function
  • Apply consistently

Example:

text
Sales Reps → CREATOR
Sales Engineers → COLLABORATOR
Sales Ops → COLLABORATOR
VP Sales → ADMIN

Principle 3: Regular Review

What it means: Periodically audit roles and remove unnecessary access.

Why it matters:

  • Prevents permission creep
  • Removes access for departed team members
  • Identifies misaligned roles

How to apply:

  • Quarterly role audit
  • Remove departed users immediately
  • Downgrade roles when responsibilities change

Lifecycle Management

Onboarding New Team Members

Week before start:

  1. Identify appropriate organization role (CREATOR vs COLLABORATOR)
  2. Determine team memberships
  3. Prepare invitation email

Day one:

  1. Send invitation to join organization
  2. Add to relevant teams as MEMBER
  3. Share relevant Decision Sites
  4. Assign training materials

First week:

  1. Verify they can access what they need
  2. Adjust role if initial assignment was wrong
  3. Add them as SELLER in active deals

Verification checklist:

  • Received invitation email
  • Can log in successfully
  • Can access team content
  • Can perform primary job function
  • Knows how to request additional access

Role Changes

Promotion (e.g., COLLABORATOR → CREATOR):

Trigger: Responsibilities changed, now owns deals

Process:

  1. Organization ADMIN changes role
  2. Change takes effect immediately
  3. Notify user of new capabilities
  4. Update team roles if needed

Example:

text
Sarah promoted from Sales Engineer to Account Executive:
- Before: COLLABORATOR (supported deals)
- After: CREATOR (owns deals)
- Action: Admin updates role
- Result: Can now create Decision Sites

Demotion (e.g., CREATOR → COLLABORATOR):

Trigger: Responsibilities changed, no longer creates content

Process:

  1. Organization ADMIN changes role
  2. Change takes effect immediately
  3. Reassign owned Decision Sites if needed
  4. Notify user of change

Example:

text
John moved from Sales to Sales Ops:
- Before: CREATOR (owned deals)
- After: COLLABORATOR (supports deals)
- Action: Admin updates role, reassigns active deals
- Result: Can edit but not create

Offboarding

Two weeks before departure:

  1. Identify Decision Sites they own
  2. Assign new owners for active deals
  3. Document any in-progress work

Last day:

  1. Reassign all owned Decision Sites
  2. Remove from teams
  3. Downgrade to COLLABORATOR (keeps access for transition)

After departure:

  1. Remove organization membership entirely
  2. Verify no orphaned content
  3. Update documentation

Critical: Never leave Decision Sites without an owner.

Team Management

Creating Teams

Before creating:

  • Define team purpose
  • Identify team members
  • Determine who should be OWNER

Creation process:

  1. Create team (you become OWNER automatically)
  2. Add members (as MEMBER by default)
  3. Promote co-managers to OWNER
  4. Set team access control
  5. Share Decision Sites with team

Best practices:

  • 2-3 OWNERs per team (continuity)
  • Clear team purpose
  • Regular membership review

Team Access Control

Three levels:

ORGANIZATION:

  • All org members can access
  • Team membership is organizational, not access control
  • Use for general teams

TEAM:

  • Only team members can access
  • Use for focused teams (Strategic Accounts, Enterprise Sales)

OWN:

  • Only owner can access
  • Team members can't see
  • Rarely used (defeats purpose of teams)

Recommendation: Most teams should use TEAM access control.

Contact Role Management

When Adding Contacts

For external contacts:

  1. Add to Decision Site
  2. Assign BUYER immediately
  3. Categorize by role (DECISION_MAKER, INFLUENCER, etc.) if known
  4. Update categorization as you learn more

For internal contacts:

  1. Add to Decision Site
  2. Assign SELLER immediately
  3. Usually no additional categorization needed

Updating Contact Roles

As deal progresses:

  • Add CHAMPION when advocate emerges
  • Mark DECISION_MAKER when identified
  • Add INFLUENCER as evaluation team grows

Example progression:

text
Week 1: BUYER (general contact)
Week 3: BUYER + INFLUENCER (active in evaluation)
Week 6: BUYER + CHAMPION (internal advocate)
Week 8: BUYER + DECISION_MAKER (revealed final approver)

Common Scenarios

Scenario 1: Rapid Team Growth

Situation: Hired 10 sales reps in one month

Approach:

  1. Create standard onboarding checklist
  2. Assign all as CREATOR (sales reps create deals)
  3. Add all to Sales Team as MEMBER
  4. Have team OWNER welcome them
  5. Pair with mentor for first week

Avoid: Making everyone ADMIN during chaos

Scenario 2: Reorganization

Situation: Teams restructured, reporting changes

Approach:

  1. Identify new team structure
  2. Create new teams if needed
  3. Move members to appropriate teams
  4. Update team OWNERs to reflect new managers
  5. Review organization roles (may not change)

Remember: Team changes don't require organization role changes

Scenario 3: Merger/Acquisition

Situation: Acquired company joining your organization

Approach:

  1. Determine integration model (separate org vs same org)
  2. If same org: Onboard as new team members
  3. If separate: Keep separate organizations
  4. Set appropriate roles based on new responsibilities
  5. Manage Decision Site access carefully

Scenario 4: External Partner Collaboration

Situation: Partner company needs access to some deals

Approach:

  1. Partners are external → GUEST organization role
  2. Invite to specific Decision Sites only
  3. Mark as BUYER if on buying side
  4. Consider domain rules for their company domain
  5. Review access quarterly

Don't: Make partners CREATOR unless true integration

Automation and Efficiency

Domain Rules

What they do: Automatically assign roles based on email domain

When to use:

  • Internal company domain → auto-assign CREATOR or COLLABORATOR
  • Partner domain → auto-assign GUEST
  • Customer domain → auto-assign GUEST

Setup:

  1. Settings → Domain Rules
  2. Add company domain
  3. Set default role (CREATOR or COLLABORATOR)
  4. Save

Benefit: New team members auto-join with correct role

Bulk Operations

Use cases:

  • Adding 10+ people to a team
  • Removing departed team members
  • Updating roles across department

Approach:

  • Use Settings → Organization Members for bulk role changes
  • Use team settings for bulk team membership
  • Coordinate with admin team for large changes

Monitoring and Auditing

Regular Audits (Quarterly)

Check:

  • Are all ADMINs still appropriate? (should be 1-2)
  • Are all team members still with company?
  • Are team OWNERs current managers?
  • Are roles aligned with job functions?
  • Are departed users removed?

Actions:

  • Remove access for departed users
  • Adjust roles for changed responsibilities
  • Clean up unused teams
  • Update documentation

Security Reviews

Monthly:

  • Review new ADMIN promotions (should be rare)
  • Check for unusual access patterns
  • Verify external users are GUEST
  • Confirm buyer/seller categorization in active deals

After incident:

  • Review affected user's access
  • Check if role was appropriate
  • Adjust if needed
  • Document lessons learned

Best Practices Summary

Organization Roles:

  • Limit ADMIN to 1-2 people
  • Most sales reps should be CREATOR
  • Support roles should be COLLABORATOR
  • All external users are GUEST

Team Roles:

  • 2-3 OWNERs per team
  • Most members are MEMBER
  • Align with actual management structure
  • Use TEAM access control

Contact Roles:

  • Always mark BUYER vs SELLER
  • Add stakeholder types (DECISION_MAKER, etc.) as known
  • Update as deal progresses
  • Critical for accurate Deal Pulse scoring

Management:

  • Assign based on job function
  • Review quarterly
  • Remove access immediately when someone leaves
  • Document standard role assignments

Next Steps