If you’re running a team on a new tool, you want to make sure people can do their jobs without stumbling into things they shouldn’t touch. If you’ve landed here, you’re probably setting up Point-of-reference for your company, or maybe you’re cleaning up a messy permissions setup that’s gotten out of hand. Either way, this guide is for folks who want to get user roles and access controls right—without wasting hours deciphering jargon or feeling like you need an IT degree.
Let’s get you set up, step by step, and talk about what matters (and what you can safely ignore).
1. Decide What You Actually Need to Control
Before you start clicking around and assigning roles, take five minutes to write down the kinds of access your team actually needs. It’s tempting to just copy what you did in your last tool, but every app is a little different—and overcomplicating things from the start is a recipe for confusion.
Common things to consider: - Who needs to edit vs. view content? - Are there any sensitive projects or data only certain people should see? - Who’s responsible for adding or removing users? - Do you want to let people invite outside collaborators, like freelancers?
Pro tip: If you’re not sure, start more restrictive. It’s easier to loosen up controls than to clean up a permissions mess later.
2. Understand Point-of-reference’s Permission Model
Every SaaS tool has its own spin on permissions. Point-of-reference is no exception. Here’s the real-world scoop:
- Roles: The core of access control. Typical roles are Admin, Editor, Viewer, and (sometimes) Guest.
- Groups/Teams: You can bundle users into groups for easier permission management.
- Resource-Level Permissions: You can fine-tune access on specific projects, folders, or documents.
What works: The built-in roles cover 90% of use-cases. Most teams only need to tweak a few settings for edge cases.
What doesn’t: Don’t bother with custom roles until you’ve outgrown the defaults. It’s more work and usually not worth it unless you’re a big org with complex needs.
3. Set Up Core Roles
Here’s how to set up the main roles for your team in Point-of-reference:
Step 3.1: Access the Admin Console
- Go to your dashboard.
- Find “Settings” in the sidebar (sometimes under your profile menu).
- Click on “Users & Permissions” or “Team Management.” The names change from time to time, but it’ll be something along those lines.
Step 3.2: Invite Users and Assign Roles
- Click “Invite User” or “Add Member.”
- Enter their email (double-check this—typos here are a headache).
- Select a role:
- Admin: Can do everything, including billing and user management. Limit this to people you trust.
- Editor: Can create and edit content, but can’t change global settings.
- Viewer: Can only view. Good for stakeholders who just need to see updates.
- Guest: Limited access, usually on a per-project basis. Useful for clients or contractors.
Honest take: Most teams only need one or two Admins. Too many cooks spoil the broth—and open you up to accidental chaos.
Step 3.3: Organize by Group (Optional)
If your team is more than a dozen people, set up Groups or Teams (e.g., “Marketing,” “Product,” “Sales”). This lets you set permissions once for the group, instead of micromanaging every user.
4. Fine-Tune Access Controls
Now that your core roles are set, you might need to give (or limit) access to specific projects, folders, or documents.
Step 4.1: Navigate to the Resource
- Go to the folder, project, or document you want to lock down.
- Find the “Share” or “Permissions” button (usually an icon with a lock, shield, or little people).
Step 4.2: Adjust Who Can Do What
- You’ll see a list of users and groups with access.
- Set:
- Can view: For folks who shouldn’t make changes.
- Can edit: For collaborators.
- Can manage: For people who should control sharing and settings on this item.
What to ignore: Don’t bother setting super-granular permissions for every single file. Focus on the important stuff—your most sensitive or high-impact projects.
5. Handle External Access Carefully
Letting outsiders (like contractors or clients) into your workspace? Here’s what to watch out for:
- Use Guest accounts wherever possible. Don’t give external people full user roles.
- Set expiration dates for access if the tool allows it. Otherwise, mark your calendar to revisit permissions regularly.
- Double-check what they can see: Test it yourself, or ask a teammate to sanity-check.
Reality check: Most breaches or leaks aren’t the result of hackers—they’re from someone leaving a door open for too long. Don’t be that team.
6. Review and Audit Regularly
Permissions aren’t “set it and forget it.” Make it a habit to check who has access every month or quarter, especially after people leave the team or switch roles.
- Go to the “Users & Permissions” area.
- Look for:
- Ex-employees who still have access (remove them immediately).
- Old guest accounts you forgot about.
- Admins who don’t need to be admins anymore.
- Use the audit log if your plan includes it. If it doesn’t, consider exporting a user list and checking it manually.
Pro tip: Set a recurring calendar reminder. It’s boring but saves you from messy problems down the road.
7. Advanced: Custom Roles and API Access (If You Really Need Them)
Most teams never need to touch these, but here’s the honest rundown.
Custom Roles
- Only bother if the default roles are too blunt for your workflow.
- Creating custom roles is usually hidden under “Advanced Permissions.”
- Be very clear about what each custom role can and can’t do. Document it somewhere your team can find.
API Access
- If you’re integrating with other tools or automating workflows, you’ll need to generate API tokens.
- Treat these like passwords. Only give API access to trusted apps or scripts.
- Revoke tokens if you stop using an integration.
Caution: Custom roles and API permissions are power tools. Use them carefully, and don’t overcomplicate things for the sake of it.
8. What to Skip (For Now)
There’s a lot of noise out there about “zero trust” and “advanced security frameworks.” Unless your company is in a heavily regulated industry or you have a dedicated IT/security team, you can skip:
- SSO and SCIM integrations (unless you know you need them)
- Overly granular permissions for every folder
- Third-party “access governance” tools
Stick to the basics until you actually have problems those tools are designed to solve.
Wrap-Up: Keep It Simple, Stay Flexible
A solid permissions setup in Point-of-reference isn’t about locking things down so tightly nobody can work—it’s about giving people the access they need, and nothing more. Start simple. Review regularly. Don’t let “security theater” slow your team down.
If you break something, you can always adjust. If you keep it honest and clear, your team will thank you—and you’ll spend less time cleaning up permission messes later.
Happy (safe) collaborating.