Managing Workspace Members & Permissions
Control who can access your workspace, assign member roles, and configure privacy settings to protect sensitive client data.
Workspace membership controls who can see and interact with the intelligence, meetings, and content within a workspace. Agency Hero uses a layered access model — your organisation-level role sets a baseline, and workspace-level roles let you fine-tune access for each individual workspace.
How workspace access works
Access in Agency Hero is governed by four cooperating layers, applied in order:
| Layer | What it controls |
|---|---|
| **1. Organisation role** (Clerk) | Overall platform access — Owner, Admin, or Member |
| **2. User feature flags** | Per-user capabilities such as meeting privacy and personal workspaces |
| **3. Workspace membership role** | What a user can do inside a specific workspace |
| **4. Workspace capabilities** | Which features are enabled on the workspace itself |
Organisation Owners and Admins always have implicit owner-level access to every workspace in the organisation, regardless of whether they appear in the workspace’s membership list. All other users — org Members — need an explicit workspace membership to access a workspace.
Note: Personal Workspaces are permanently private. They cannot be shared and the Members section does not appear in their settings.
Organisation-level roles
Organisation roles are managed in your organisation settings (powered by Clerk) and govern access across the entire platform.
| Role | What they can do |
|---|---|
| **Owner** | Full org control — manage billing, delete the org, manage all users and all workspaces. Automatically granted all feature flags. |
| **Admin** | Manage users, configure settings, access all workspaces with owner-level rights. Automatically granted the **Can set meetings private** and **Has personal workspace** flags. |
| **Member** | Access only workspaces they have been explicitly added to. All feature flags are off by default. |
Important: Only org Owners can grant the Can manage global rules feature flag, which allows a user to create organisation-wide meeting association rules.
Workspace-level roles
Within each workspace, every direct member is assigned one of three roles. These are independent of org role for regular members, but org Owners and Admins always receive effective Owner access regardless of their listed role.
Owner
Full control of the workspace. An Owner can:
- Edit the workspace name, description, type, and client assignment
- Configure workspace capabilities and feature toggles
- Connect and disconnect integrations (e.g., Linear)
- Change the post-meeting workflow override
- Add, change the role of, and remove workspace members
- Add and delete meeting association rules, and manually apply them
- Delete the workspace entirely
Contributor
Can create and edit content within the workspace. A Contributor can:
- View all workspace settings and content
- Add and delete meeting association rules
Contributors cannot edit workspace settings, manage integrations, manage members, or delete the workspace.
Viewer
Read-only access. A Viewer can:
- Browse all workspace content — meetings, intelligence, proposals, and more
Viewers cannot make any changes to the workspace or its content.
Permission reference matrix
| Action | Owner | Contributor | Viewer | Org Admin |
|---|---|---|---|---|
| View workspace content | ✅ | ✅ | ✅ | ✅ |
| Edit name / description / type | ✅ | ❌ | ❌ | ✅ |
| Change client assignment | ✅ | ❌ | ❌ | ✅ |
| Edit workspace hierarchy (parent) | ✅ | ❌ | ❌ | ✅ |
| Toggle capabilities | ✅ | ❌ | ❌ | ✅ |
| Connect / disconnect integrations | ✅ | ❌ | ❌ | ✅ |
| Change workflow override | ✅ | ❌ | ❌ | ✅ |
| Add / delete meeting rules | ✅ | ✅ | ❌ | ✅ |
| Apply meeting rules manually | ✅ | ❌ | ❌ | ✅ |
| Add workspace members | ✅ | ❌ | ❌ | ✅ |
| Change member roles | ✅ | ❌ | ❌ | ✅ |
| Remove members | ✅ | ❌ | ❌ | ✅ |
| Delete workspace | ✅ | ❌ | ❌ | ✅ |
Adding members to a workspace
Only workspace Owners (and org Admins) can add members. The Add Member dialog only lists users who are already part of your organisation — workspace membership is separate from an organisation invitation.
To add a member:
- Navigate to the workspace and open Settings.
- Scroll to the Members section.
- Click Add Member.
- In the dialog, use the Select User dropdown to choose a user. The list shows all organisation members who are not yet in this workspace.
- In the Role dropdown, choose the level of access:
- Viewer (Read-only) — can browse content only
- Contributor (Can edit) — can create and edit content (default)
- Owner (Full control) — full workspace control
- Click Add Member to confirm.
The user gains access immediately — no email notification is sent since they are already part of your organisation.
Tip: If the dropdown shows “All organization members are already in this workspace”, every eligible org member has already been added.
Inviting new users to your organisation
If the person you want to add is not yet an organisation member, you need to invite them at the org level first:
- Go to Settings → Users (this opens the Clerk Organisation Members panel).
- Click Invite and enter their email address.
- Assign an org role: Admin or Member.
- Send the invitation.
Once the user accepts the invitation and creates their account, they will appear in the Select User dropdown in any workspace’s Add Member dialog.
Note: Users invited through the standard Clerk UI receive no automatic workspace assignments. A workspace Owner or Org Admin must add them to each relevant workspace after they join.
Changing a member’s role
Only workspace Owners (and org Admins) can change roles.
To change a member’s role:
- Open the workspace Settings and scroll to Members.
- Find the member in the list.
- Click the role dropdown next to their name (showing their current role: Viewer, Contributor, or Owner).
- Select the new role.
The change takes effect immediately. The member’s access updates in real time — they do not need to sign out and back in.
Restriction: You cannot change the role of the last remaining Owner in a workspace. The workspace must always have at least one Owner. Promote another member to Owner before demoting the current one.
Removing a member
Only workspace Owners (and org Admins) can remove members.
To remove a member:
- Open the workspace Settings and scroll to Members.
- Hover over the member’s row — a remove button (×) appears on the right.
- Click the remove button.
- In the confirmation dialog, click Remove.
The user immediately loses access to the workspace and all of its content. This action does not remove the user from your organisation — it only revokes access to this specific workspace. They can be re-added at any time.
Note: Removing a member does not delete their contributions. Meetings, intelligence, and other content they added remain in the workspace.
Team-based workspace access
In addition to direct membership, users can gain workspace access through teams. When a team is assigned to a workspace, all current and future members of that team inherit access.
How team access is assigned
Team-to-workspace assignments are managed from the team’s settings, not the workspace settings:
- Go to Settings → Teams and open the relevant team.
- Click Assign to Workspace.
- In the dialog, select the workspace from the Select Workspace dropdown.
- Choose a Default Role for all team members in that workspace:
- Viewer (Read-only)
- Contributor (Can edit) (default)
- Owner (Full control)
- Click Assign Workspace.
The default role applies uniformly to all members of the team in that workspace.
Key behaviours
- Team members appear alongside direct members in the workspace’s effective members list.
- Adding a new user to a team automatically grants them access to all workspaces that team is assigned to.
- Removing a user from a team revokes their team-inherited workspace access — unless they also hold a direct membership in that workspace.
- Team-level access cannot be selectively overridden per user at the workspace level. To restrict a specific team member’s access, remove them from the team or adjust the team’s workspace assignment.
Tip: Use teams for groups of users who regularly work together across the same set of workspaces — it’s much easier than managing individual memberships.
Privacy and visibility settings
Who can see a workspace?
By default, a workspace is only visible to:
- Users explicitly added as direct members
- Members of a team that has been granted access to the workspace
- All org Owners and org Admins (implicit access)
Workspaces are not discoverable by regular org Members who have not been added.
Meeting privacy levels
Individual meetings within a workspace carry their own privacy level, which is controlled separately from workspace membership:
| Privacy Level | Who can see the meeting |
|---|---|
| `workspace` | All workspace members |
| `restricted` | Meeting owner, named approvers, and org admins |
| `private` | Meeting owner only |
The ability to set a meeting to restricted or private requires the Can set meetings private feature flag. This flag is automatically granted to org Owners and Admins. Org Members need it explicitly enabled by an admin.
Meeting artifact approvals
When a workspace’s meeting association rules use the require_approval action, meeting artifacts (summaries, action items, transcript excerpts) are not immediately visible to workspace members. Instead, they enter an approval queue:
| Status | Meaning |
|---|---|
| **Pending** | The artifact has been suggested for this workspace but not yet reviewed |
| **Approved** | Workspace members can see the artifact |
| **Denied** | The artifact is not shared with the workspace |
| **Revoked** | A previously approved share has been withdrawn |
Approval actions are available to the meeting owner and workspace admins. Org admins can override any decision. A denied item can be reopened (returned to Pending) by the meeting owner. All decisions are recorded in an audit log.
User feature flags
Beyond roles, certain capabilities are controlled by per-user feature flags. These are set by org admins and apply across the organisation, not per workspace.
| Flag | What it enables | Default | Auto-granted to |
|---|---|---|---|
| **Can set meetings private** | User can mark meetings as restricted or private and control sharing | Off | Org owners, org admins |
| **Has personal workspace** | User gets a dedicated personal workspace for private content | Off | Org owners, org admins |
| **Can manage global rules** | User can create and edit org-wide meeting association rules | Off | Org owners only |
When a user’s org role changes (e.g., promoted from Member to Admin), the relevant feature flags are automatically granted to match their new role. Downgrading a role does not automatically remove flags — an admin must revoke them manually if needed.
To view or change a user’s feature flags:
- Go to Settings → Users.
- Select the user.
- In the Feature Access section, toggle the relevant flags on or off.
Restriction: The Can manage global rules flag can only be granted by org Owners, not by Admins.
Restrictions and edge cases
- A workspace must always have at least one Owner. You cannot remove the last owner, and you cannot change the last owner’s role away from Owner. Promote another member first.
- Org Admins always have effective Owner access, even if they are not listed as a direct member. This cannot be reduced at the workspace level.
- Personal Workspaces cannot be shared. The Members section is not visible in personal workspace settings.
- Workspace names are unique within an organisation. You cannot have two workspaces with the same name under the same org.
- Removing a member does not delete their content. Meetings, notes, and intelligence they contributed remain in the workspace.
- Team-inherited access cannot be selectively overridden per user at the workspace level. To restrict a particular team member, remove them from the team or change the team’s workspace assignment.
- There is no guest role at the workspace level. The valid workspace roles are
owner,contributor, andvieweronly. - Users invited via the standard Clerk UI receive no automatic workspace assignments. Workspace access must be granted manually once they join the organisation.
Related articles
More resources to help you go deeper.