Start with role clarity
Define what each internal role should be allowed to see and change before creating users. The permission model should mirror real job responsibilities, not generic job titles.
Back to Help Center
Team and access
Team access governance guide
How to structure internal user access so operators can work efficiently without giving every team member broad control across the platform.
8 min readOrg admins, DPOs, and security leads
Use least privilege as the default
Granular permissions should be assigned deliberately, with audit evidence for role changes and privileged actions.
Separate view access from mutating actions.
Use approval gates for sensitive access changes.
Review high-privilege accounts periodically.
Keep governance visible
A mature operating model includes role reviews, approval history, and a clear explanation of what each role can do across the console.