Skip to main content

Workspace Onboarding and Governance Playbook

This playbook is for workspace owners and operators who need a repeatable setup and governance process.

Phase 1: Workspace baseline setup

  1. Open Workspace settings and complete General tab first.
  2. Set workspace identity (name, brand assets, default currency, timezone).
  3. Confirm policy surfaces (Terms, Privacy, support paths) are visible to users.
  4. Confirm default dashboard/load behavior is acceptable for daily operators.
Baseline checks:
  • naming and branding are production-ready
  • reporting defaults match finance preference
  • legal/support links are accessible

Phase 2: Access model and invitations

  1. Define role model before inviting users (owner/admin/member patterns).
  2. Invite members in controlled batches.
  3. Confirm each invite acceptance produces expected workspace access.
  4. Confirm existing-user invite and new-user invite flows both behave correctly.
  5. Remove or expire stale invites as part of weekly hygiene.
Operational constraints:
  • avoid over-assigning admin roles
  • verify role boundaries with real UI actions (not only role labels)
  • enforce least privilege for finance and automation operations

Phase 3: Plan-gated tab validation

  1. Confirm visible workspace tabs match current plan.
  2. Confirm hidden tabs are truly inaccessible (not only visually hidden).
  3. Confirm related actions on other pages also respect plan gates.
  4. Re-run this check after every upgrade/downgrade.
Critical areas to verify:
  • API keys and API apps
  • custom domains
  • webhooks and integrations
  • tracking/revenue modules
  • security/SAML/SCIM for enterprise

Phase 4: Key workspace controls

API keys and apps

  1. Create only keys needed for active automations.
  2. Use scoped permissions wherever possible.
  3. Rotate keys on schedule and remove unused keys.

Domains and branding

  1. Add custom domains only when ownership and DNS are confirmed.
  2. Verify domain status before assigning to high-volume links.
  3. Re-check domain behavior after plan changes.

Webhooks and outbound automations

  1. Configure destination and secret carefully.
  2. Test delivery and idempotency handling before enabling production triggers.
  3. Monitor retries and failures.

Phase 5: Security and compliance operations

  1. Enforce strong account practices for privileged users.
  2. Enable enterprise identity controls where applicable.
  3. Review session/member/invite activity on a defined cadence.
  4. Confirm incident escalation and ownership are documented.

Weekly governance routine

  1. Review members, roles, and pending invites.
  2. Review billing usage and top-up thresholds.
  3. Review integration health and failed deliveries.
  4. Review security events and suspicious access patterns.
  5. Review plan utilization against limits.

Offboarding and ownership continuity

  1. Transfer ownership only with explicit approval.
  2. Remove departed users promptly.
  3. Rotate keys and secrets when privileged members leave.
  4. Confirm no orphaned automation dependencies remain.

Troubleshooting matrix

ProblemLikely causeFirst action
User cannot see expected settings tabPlan gate or role scopeValidate role and plan entitlements
Invite accepted but wrong access levelInvite role mismatchRe-assign role and review invite policy
Automation fails after workspace changesCredential or scope driftRe-check key scopes and integration status
Domain unavailable for new linksVerification or plan-limit issueRe-check domain state and domain capacity
Related:
  • /user-guides/manual/workspace/workspace-settings-and-governance-reference
  • /user-guides/manual/workspace/workspace-tabs-and-plan-gates-reference
  • /user-guides/manual/workspace/workspaces-and-access
  • /user-guides/manual/monetization/plan-gate-validation-playbook