Skip to main content

Workspaces and Access

A workspace is the security and billing boundary for Linquid.

Role model (practical matrix)

RoleTypical ownershipTypical allowed operations
OwnerAccount/workspace ownerFull access, billing/plan actions, ownership continuity
AdminTeam leads/operatorsMost management actions across links, campaigns, rules, members, integrations
EditorCampaign operatorsBuild and operate campaigns/links/rules, review analytics, limited governance actions
ViewerAnalysts/stakeholdersRead-only dashboards and operational visibility
Use role assignment based on job function, not convenience.

Permission design principles

  1. Grant the lowest role that still allows the user to complete their job.
  2. Separate billing/governance duties from campaign operation where possible.
  3. Use temporary elevation instead of permanent over-privileged access.
  4. Review and revoke access as part of every offboarding workflow.

Workspace settings areas

Key workspace-level controls include:
  • identity: workspace name, logo, branding defaults
  • operations: default workspace behavior and member lifecycle
  • developer controls: API keys and publishable keys
  • domain controls: custom domain setup and validation
  • governance: limits, retention, and ownership continuity

Invitation and membership lifecycle

Common membership flow:
  1. Invite one or more emails from the Members tab.
  2. Set role at invite time.
  3. Invitee accepts and appears as active member.
  4. Admin/owner adjusts role as responsibilities change.
  5. Member is removed when access is no longer required.
Practical notes:
  • Batch invite is supported for multi-email onboarding.
  • Invite quality matters: wrong role assignment is the most common access bug.
  • Removal prompts should be treated as irreversible from an access perspective.

Member onboarding checklist

  1. Invite to the correct workspace with correct role.
  2. Confirm accepted invite appears in member list as active.
  3. Confirm user can access required pages only.
  4. Confirm user cannot access admin/billing pages unless intended.

Access controls

Use workspace roles and scoped permissions to enforce least privilege. Common patterns:
  • Operators: campaign/link/rule management.
  • Analysts: read-focused access for analytics and exports.
  • Owners/admins: billing, integration, and workspace governance.

Scope isolation expectations

Users should never see resources from a workspace they are not a member of. This includes:
  • links, campaigns, and rules
  • conversions, events, and customers
  • affiliate and payout data
  • exports and workspace-level settings
Important boundary:
  • Affiliate partners in the partner portal are separate identities and are not workspace members by default.
  • Partner portal access and workspace-member access are governed by different authentication and permission paths.

Multi-workspace behavior

For users in multiple workspaces:
  • Active workspace controls visible data scope.
  • Personal default workspace setting controls initial landing context.
  • Switching workspace should immediately switch all analytics, links, and billing context.

Default workspace best practices

  • set a stable default workspace for each user role.
  • verify mobile and desktop load the same default.
  • include workspace context checks in onboarding docs.

Permission boundary expectations

A user should only see data for workspaces they belong to with sufficient role access. This applies consistently to:
  • analytics and dashboard views
  • campaign/link/rule management
  • customer, conversion, and affiliate data
  • export and billing operations

Identity and login interaction

Access can be tied to:
  • email/password credentials
  • linked social providers
  • enterprise SSO (when enforced by workspace)
When enterprise SSO is enforced for a domain, password login for that domain should route through SSO.

Common access issues and fixes

IssueLikely causeFirst fix
User cannot see expected pagesRole too restrictiveUpdate role and retry
User sees wrong workspace after loginDefault workspace misconfiguredUpdate default workspace preference
Invite not acceptedIncorrect email or expired inviteReissue invite to correct address
Billing page unavailable to adminRole/workspace mismatchConfirm user role in the active workspace
SSO user cannot log inDomain enforcement or IdP mapping issueValidate SSO config and domain association

Operational checks

Run monthly checks for:
  • stale invites
  • inactive members
  • over-privileged users
  • ownership continuity
  • default workspace correctness for multi-workspace users

Quarterly governance checks

  1. Audit all owners and admin users for necessity.
  2. Remove stale invited users and dormant members.
  3. Validate SSO/SCIM membership mapping for enterprise tenants.
  4. Review permission exceptions and temporary escalations.
  5. Confirm offboarding checklist includes session revocation.
Related:
  • /user-guides/manual/workspace/workspace-onboarding-and-governance-playbook
  • /user-guides/manual/workspace/security-and-compliance
  • /user-guides/manual/monetization/billing-plans-and-credits