Documentation
English
Members, Roles & Groups

Members, Roles & Groups

SKH offers a flexible, multi-layered permission model:

  1. Organisation membership – Who's part of the organisation at all?
  2. Workspace membership – Who has access to which workspace, at what role?
  3. Page membership – Optional, when a single page should be treated differently from the rest of the workspace.
  4. Custom roles – When the built-in roles aren't enough.
  5. Groups – Bundle multiple members for easier management.

Built-in roles

RoleDefault rights
OwnerEverything, including billing, owner transfer and deleting the organisation
AdminEverything except owner-only actions (manage members, workspaces, integrations, MCP servers, AI configuration)
MemberStandard user (workspaces, chat, documents according to memberships)

At the workspace level there's a separate role per member. An organisation member can be admin in workspace A and just member in workspace B.

At the page level:

  • Member – Read
  • Editor – Read + write
  • Admin – Full access including managing other page members

Permission model for custom roles

A custom role is a selection out of 20 atomic permissions – each a combination of an action and a resource:

ActionResource
CreateWorkspace
ReadPage
UpdateFolder
DeleteFile
Member

Examples:

  • Read-only role: Read on every content type.
  • Editor: Read rights + create/update/delete files + create folders.
  • Workspace manager: Editor rights + create/update workspaces + read/update members.

Inviting a member

  1. Settings → Members.
  2. Invite member.
  3. Enter e-mail address (or several, comma-separated).
  4. Pick a role – built-in or custom.
  5. Send invitation.

Recipients receive an e-mail with a link valid for 7 days. On accept, the member is automatically added to the organisation.

Bulk invite via CSV

For large onboardings there's a CSV bulk import:

  1. Invite member → Bulk import.
  2. Upload a CSV with columns for e-mail and role.
  3. Preview table validates format and duplicates.
  4. Send invitations.

Creating a custom role

  1. Settings → Roles.
  2. Create role.
  3. Provide a name (e.g. "Compliance reviewer") and description.
  4. Pick the required permissions from the matrix.
  5. Optionally: limit to specific workspaces.
  6. Save.

The role is immediately available when inviting or editing existing members.

Customising built-in roles

You can also override the built-in roles per organisation – e.g. if "Member" should not have file-read rights by default. The override only applies to your organisation.

Groups

Groups bundle multiple members for easier management:

  • Members – Who's in the group.
  • Workspaces – Which workspaces the group automatically sees.
  • Tool permissions – Which MCP tools every group member can call from chat.

Creating a group

  1. Settings → Groups.
  2. Create group with name and description.
  3. Add members (search or CSV import).
  4. Optionally assign workspaces.
  5. Optionally grant tool permissions.

When a new member joins the group, they automatically inherit every workspace and tool access of the group – no per-user setup needed.

Page memberships

Per page you can refine, on top of workspace membership, who sees what content. Sources:

  • Manual – An admin added the member to the page explicitly.
  • From workspace – Inherited from workspace membership (no explicit row needed).
  • From SharePoint – Mirrored from SharePoint access rights.

Recommendation: only use page memberships when you really need per-page differentiation. In most cases workspace membership is enough.

Managing members

Change role

  1. Settings → Members.
  2. Use the three-dot menu next to the member.
  3. Edit role → pick a new role → save.

Remove from organisation

  • Three-dot menu → Remove member.
  • Every workspace membership goes with it.
  • Data the member produced (chats, uploaded files) stays in place.

Owner transfer

Owner transfer currently goes through platform support.

User Workspace Management

For large organisations there's a dedicated Settings → User Workspace Management view that displays members × workspaces as a matrix:

  • Add multiple members to multiple workspaces at once.
  • Bulk-update roles.
  • Filter by member, role, workspace.

Best practices

  • As few permissions as possible – Default is "Member". "Admin" only where actual administration is needed.
  • Name custom roles by function – "Compliance reviewer" beats "Read+Update".
  • Groups over individual grants – If 5+ members need the same rights, build a group.
  • Quarterly audit – Once a quarter, review who has which role. Remove or downgrade inactive members.
  • Workspace first – Before defining page memberships, prefer splitting workspaces.
Administrator OverviewIntegrations