Skip to content

Access-control patterns

Once you understand visibility, roles, and access levels individually, the real skill is combining them to match how your team actually works. Here are patterns you can reuse.

You have three tools:

  • VisibilityOrganization (everyone) or Private (only granted people).
  • RolesAdmin (runs the org) or Member (does the work).
  • Access levels — per file, per person:
What you can doViewerEditorOwner
Open & download the file
See the activity history
Upload a new version
Rename, move & organize
Lock the file
Manage who has access
Delete the file

The patterns below are just thoughtful combinations of these three.

When: a small, fully-trusted team where everyone should see everything.

  • Keep files at Organization visibility.
  • Most people are Members; a couple are Admins.
  • Rely on each file’s owner (its creator) to manage the occasional exception.

Simple and frictionless — the right default until you have a reason to lock things down.

When: a specific release should only involve a handful of people.

  1. Set the release folder to Private.
  2. Grant the lead Owner.
  3. Grant collaborators Editor.
  4. Grant stakeholders Viewer.

Everyone outside the circle simply doesn’t see it. As the release wraps, you can tighten further by locking finished masters.

When: someone outside your core team needs limited involvement.

  • Add them as a Member (never an Admin) so they can’t touch the organization.
  • Grant them access only to the specific files they need — usually Editor for active work, Viewer if they’re just reviewing.
  • When the engagement ends, remove their grants (and their seat).

This gives an outsider exactly enough to contribute, and nothing else.

When: a manager or client should follow progress without changing anything.

  • Grant Viewer on the relevant files or folder.
  • They can open, download, and watch the activity history — but never alter the work.

They stay informed; the work stays protected.

When: a file is final and must not change.

  • Make sure its access is correct (usually a small Owner/Editor circle).
  • Lock it.

Locking is the “do not disturb” sign — even Editors can’t upload over a locked file until it’s unlocked. It’s how you protect the version that actually ships.

  • Least authority. Give the lowest role and access level that does the job.
  • Private for sensitive, open for shared. Match visibility to how wide the circle should be.
  • Owners are responsibility, not status. Make someone an Owner because they’re accountable for the file — not as a courtesy.
  • Lock what’s final. Protect the work you can’t afford to lose.

Master these and you can model almost any real-world collaboration cleanly. For the organizational side of growth, see Scaling your organization.