← Team Hub Systems · Access & Permissions

Access & Permissions

Who gets access to what, by role. How access is granted at onboarding, how it’s pulled at offboarding. Default to least-privilege — grant what someone needs to do their job, no more.

Principle

Access is granted by role, not by request. If the matrix below doesn’t cover your situation, escalate to a partner before granting one-off access. Don’t freelance permissions.

Access matrix by role

Default access by pod role. = full access. Read = view only. = no access by default.

Tool Partner Delivery Lead Pod Lead AI Dev Media Buyer Designer Other Pod
Slack · CMG workspace
Google Workspace · cmg.la email
Linear · pod project
Notion · client pages
Figma · design teamReadReadRead
GitHub · CMG orgReadRead
Attio CRMRead
Wise Business
Stripe · client billing
QuickBooks
Netlify / Vercel / Cloudflare
Anthropic API keys
Client Shopify (staff)Read
Client Meta BusinessRead
Client Google AdsRead
Client TikTok Ads / ShopRead
Client KlaviyoRead
Client affiliate platformRead

“Other Pod” covers Growth Marketer, Project Manager, Video Editor, Creators / Affiliate Manager — access depends on role. The Creators Mgr column is hard-coded to access TikTok Shop and affiliate platforms.

Granting access at onboarding

Pod Lead is responsible for getting every required tool provisioned within the first 48 hours.

Onboarding checklist

First 48 hours of a new pod member.
  1. Provision Google Workspace mailbox.
  2. Invite to Slack · pod channels + #operations.
  3. Add to Linear with the right team / project role.
  4. Share Notion client pages relevant to their pod.
  5. Grant Figma seat (designers only).
  6. Add to GitHub org (developers only).
  7. Provision client platform access per the matrix.
  8. Send a Slack DM with all credential links + 1Password vault invite for shared passwords.

Offboarding checklist

Last day. No CMG access lingers beyond it.
  1. Revoke Slack on last day — deactivate, don’t archive.
  2. Suspend Google Workspace account; forward email to Pod Lead for 30 days.
  3. Remove from Linear, Notion, Figma, GitHub.
  4. Revoke client platform access — Shopify staff, Meta Business, Google Ads, TikTok, Klaviyo, affiliate.
  5. Rotate any shared credentials they had access to (especially in 1Password).
  6. Rotate Anthropic API keys if they had access.
  7. Confirm with the Pod Lead that they’ve transferred ownership of any client-facing assets.
  8. Document final-day access revocation in #operations.

Granting access on the client side

When CMG needs access to a client’s platforms, the request is consistent. Don’t freelance the wording.

PlatformHow to requestWhat we use it for
ShopifyStaff account invite for the specific pod member; permissions: Orders, Products, Customers, Discounts, Marketing, AppsAffiliate setup, conversion tracking, dashboard wiring
Meta BusinessPartner access to Business Manager — ID provided by Pod LeadAd account management, Partnership Ads, pixel ops
Google AdsMCC link request; client clicks approve in their UISearch + PMax campaign management
TikTokBusiness Center collaborator invite + TikTok Shop creator accessAd ops + creator partnerships
KlaviyoAccount user invite at Manager role minimumLifecycle / email program management
Affiliate platformAdmin or Manager role on the platform of recordCreator recruitment, commissions, payouts

Security posture

  1. 2FA mandatory on every CMG account — Google Workspace, Slack, GitHub, Wise, Stripe, ad platforms.
  2. 1Password vault for any credential more than one person needs. No credentials shared in Slack.
  3. API keys are per-project, not per-person. Stored in Cusrich.AI’s secret store; rotated quarterly or on offboarding.
  4. Audit access quarterly — Pod Lead reviews who has access to what for their pod. Revoke anything stale.
  5. Client data: never copy client customer PII into CMG-owned systems. Pull, use in place, don’t persist.
  6. Incident reporting: credential leak or account compromise — trigger the Incident Response SOP immediately.
Partner-approved exceptions to this matrix should be logged in Drive > Operations > Access Exceptions with the reason and expiration date. Default is denial.