The access area has three jobs#
| Panel | Use it for |
|---|---|
| Members | invites, member roles, removals, and ownership transfer |
| Custom roles | allow and deny permissions beyond the base workspace role |
| API keys | dedicated access for integrations, automations, and custom intake |
Member invites are more structured now#
An invite can include:
- workspace role
- expiration window
- optional employee pre-creation
- employee profile details
If the person needs to appear in scheduling or work screens right away, pre-create the employee profile during the invite.
Custom roles are meant for exact access#
The current role editor supports:
- role name and description
- Allow permissions
- Deny permissions
- per-user role assignments
- effective-permission preview
Use that preview before you assume a missing button is a bug.
API keys inherit a role first#
Each key now has:
- name
- description
- workspace role baseline
- extra allow permissions
- denied permissions
- optional expiration
- rotate and revoke controls
The issued token is shown once. Copy it when you create or rotate the key.
Common blockers#
- A person can see a page but cannot act: check view-only mode, base role, then custom-role or direct permission overrides.
- An integration can read but not write: the API key role or permission overrides are too narrow.
- Ownership transfer is missing: only eligible active members can receive ownership.