How to configure user roles and permissions in Refer for secure collaboration

If you’re managing a team or a project in Refer and you don’t want things to turn into the Wild West, you need to get a grip on user roles and permissions. This guide is for admins, project leads, or anyone who’s been handed the keys and told “make it secure, but don’t slow us down.”

We’ll break down how to actually set up roles and permissions in Refer, what matters (and what doesn’t), and a few pitfalls to avoid. No fluff, just honest advice and actionable steps.

Why User Roles and Permissions Matter (And When to Care)

Let’s be real: giving everyone admin access is easy—until someone accidentally deletes a critical project, or shares sensitive info they shouldn’t. Roles and permissions let you:

  • Control who can see or do what
  • Reduce accidental or malicious changes
  • Meet compliance or privacy requirements (without a headache)

If your team is more than two people, or you’re handling anything sensitive, you should care. If you’re a solo user, honestly, you can skip most of this.

Step 1: Understand the Refer Roles (and What They Actually Control)

Before you start clicking around, you need to know what Refer’s built-in roles actually do. Here’s the honest rundown:

  • Admin: Full control. Can add/remove users, change permissions, delete anything, and tweak settings. Only give this to people you trust (and who won’t panic if something breaks).
  • Manager: Can create/edit projects, invite users, and manage most content—but can’t nuke the whole workspace or change billing. Good for team leads.
  • Contributor: Can add and edit their own stuff, comment, and collaborate, but can’t change other people’s permissions. Safe for most team members.
  • Viewer: Read-only. Can see what’s shared with them, but can’t touch anything. Ideal for clients or auditors.

Pro tip: Don’t invent roles unless you absolutely need to. The built-ins cover 95% of real-world cases.

Step 2: Map Out Who Needs What Access (Don’t Overthink It)

Grab a notepad (paper or digital, whatever) and jot down:

  • Who actually needs to manage users and settings? (Probably just 1-2 admins)
  • Who needs to edit or build projects?
  • Who only needs to view or comment?

If you’re not sure, default to less access. It’s easier to grant more later than explain why someone saw something they shouldn’t.

Common mistakes to avoid: - Giving everyone admin rights “just in case” - Assigning more permissions because it’s faster (it’s not, long-term) - Forgetting about contractors or ex-team members—prune regularly

Step 3: Add Users and Assign Roles in Refer

Here’s how to actually do it:

  1. Log in as an admin. You’ll need admin rights to manage roles.
  2. Go to your workspace or project settings.
  3. Find the “Users” or “Team” section. (Names shift depending on updates, but it’s usually in the sidebar.)
  4. Invite users by email. Enter their address and select their role from the dropdown.
  5. Double-check before you send. Make sure you’re not giving admin to someone who shouldn’t have it.
  6. Send the invite. They’ll get an email to join.

Pro tip: If Refer supports bulk import (CSV or Google sync), use it for big teams but check every user’s role afterward—default permissions aren’t always what you expect.

Step 4: Set Project or Folder-Level Permissions (Where the Real Control Happens)

Workspace roles are the starting point, but sometimes you need to get granular—like giving a client access to just one project.

  1. Navigate to the project or folder you want to secure.
  2. Open the “Share” or “Permissions” menu.
  3. Add people or groups. (Refer usually supports both.)
  4. Pick their access level:
  5. Can edit: Full collaborator, but only inside this project/folder.
  6. Can comment: Can give feedback, but not change content.
  7. Can view: Read-only.

This is where you can get specific (and where messes often start). If someone doesn’t need access, don’t add them. If you’re not sure, give view-only.

What to ignore: Don’t micromanage every single document unless you have a real reason (legal, compliance, etc.). It’s a recipe for burnout.

Step 5: Review and Audit Regularly (It’s Not Set-and-Forget)

People come and go. Projects change. Permissions need to keep up.

  • Schedule a permissions review every quarter (or after big team changes).
  • Remove users who’ve left or don’t need access anymore.
  • Double-check sensitive projects: Who can see? Who can edit?

Refer sometimes offers an audit log—use it if you suspect something’s gone sideways.

Pro tip: Set a calendar reminder to review roles. It’s boring, but it’ll save you drama later.

Step 6: Handle Exceptions and Custom Roles (Only If You Must)

Most teams never need custom roles, but if you do:

  • Check if your Refer plan supports custom roles. (Usually a premium feature.)
  • Use clear names: “Finance Reviewer” beats “Role 2.”
  • Document what each custom role can do. Otherwise, chaos will follow.

But honestly, the more custom roles you create, the harder your life gets. Stick to built-ins unless you hit a wall.

Step 7: Communicate (So No One’s Surprised)

Permissions only work if people know what’s expected.

  • Tell your team what each role means, and who to ask for help.
  • Document the basics in your onboarding or team wiki.
  • Don’t be afraid to say no to access requests if it’s not needed.

A quick Slack or email explaining “You’re a Contributor, here’s what that means” saves headaches later.

What Works, What Doesn’t, and What to Ignore

What works: - Keeping roles as simple as possible - Reviewing access regularly - Using least-privilege by default (give the minimum needed)

What doesn’t: - Over-customizing roles for every situation - Waiting until after a security incident to clean up - Hoping people “just won’t touch” things they shouldn’t

Ignore: - Fancy permission matrix charts unless you’re in a huge org - Overlapping roles—pick one per person, per project if you can

Wrapping Up: Keep It Simple, Iterate Often

Setting up roles and permissions in Refer doesn’t have to eat your week. Keep things tight, stick to the basics, and review as your team changes. The best setup is the one you barely notice—until it saves you from a disaster.

Want to get more advanced later? Fine. But get the fundamentals right first, keep your roles simple, and you’ll avoid most of the headaches people run into with permissions.