Access control

Workspace-level roles (Owner, Admin, Member) cover most teams. Larger teams need finer control — per-design permissions, audit logs, and SSO. All three ship on the Team plan; SSO is gated to Enterprise.

Per-design permissions

By default, every member can read every design in the workspace. To restrict a specific design:

1. Open the design.
2. Settings → Permissions → switch from Workspace to Restricted.
3. Add specific members + their per-design role:
   • Viewer — can read but not edit.
   • Editor — can edit but not delete.
   • Owner — full control over this design.

Restricted designs are hidden from members who aren't on the access list. Admins can override and view any design via Settings → Audit.

Audit logs

Every workspace records:

• Member added / removed / role changed.
• Design created / edited / deleted / restored.
• API key created / revoked.
• Failed authentication attempts.

Log entries include actor, action, target, IP address, and timestamp. Export the log as CSV from Settings → Audit. Logs are retained 90 days by default; Enterprise plans can extend retention.

SSO (Enterprise)

Enterprise workspaces support SAML 2.0 SSO with the major identity providers (Okta, Azure AD, Google Workspace, OneLogin, Auth0).

Setup:

1. Contact us via [email protected] to enable.
2. Configure your IdP using the metadata we provide.
3. Enable Require SSO in workspace settings — all members must use SSO going forward.
4. Optional: enable SCIM provisioning for auto-create / auto-deactivate.

When SSO is required, the email-password and social-OAuth flows are disabled for the workspace's domain. Members sign in via your IdP only.

Service accounts

For automation that shouldn't be tied to a real human:

• Create a service account in Settings → API keys → Service accounts.
• Service accounts have no email and can't sign in via the UI.
• They get a long-lived API key and a fixed scope.
• Audit logs distinguish service-account actions clearly.