Team Access Control
Give each team member the right level of access to Hiring, Security, Outreach, and Training — and audit or revoke it when they leave.
Why It Matters
Not everyone on your team needs to see everything. Your recruiter doesn’t need vulnerability reports; your security lead doesn’t need outreach campaigns. Team access control lets you decide, per person and per product, who can view, who can manage, and who stays out — and gives you a single page to answer “what exactly can this person access?” when audit or offboarding time comes.
Products and Access Levels
Kit has four products: Hiring, Security, Outreach, and Training. Each team member gets one access level per product:
| Level | What it means |
|---|---|
| No access | The product is off-limits. Opening it shows an access-denied screen with a way to request access. |
| Member | Standard day-to-day access — view and work with the product’s content, subject to any per-item assignments (e.g., restricted job postings). |
| Admin | Full control of that product — create, configure, and manage everything in it, without needing per-item assignments. |
If you never set a level for someone, they’re a Member — existing team members keep working exactly as before; nothing gets locked out until you decide to change it.
Account Admins sit above product levels: they see every product, access everything, and are the only ones who can manage the team’s access.
Note
Product levels control access to a whole product. Within a product, finer-grained assignments still apply — for example, restricted job postings remain visible only to their assigned hiring team. See Inviting Your Team for how job-level roles work.
The Modules Matrix
Go to Settings → Team → Modules for the whole-team view: one row per member, one column per product. Pick a level in any cell and it applies immediately.
Two shortcuts speed this up:
- Roles — each row has a quick-picker with predefined team roles like Recruiter, Security Analyst, Growth, or Trainer. Picking one fills sensible levels across all four products in one click; you can still adjust individual cells afterwards.
- Account admin toggle — flipping it grants full access to everything and collapses the row, since per-product levels no longer apply.
Tip
Start from a role, then tweak. Roles encode the levels most teams actually use — Recruiter gets Hiring admin and little else, Security Analyst gets Security admin. It’s faster and less error-prone than setting sixteen cells by hand. See Team Roles for what each role covers.
The Member Access Page
For a single-person deep dive, go to Settings → Team → Members and click a member. Their access page shows:
- Role — their team role, from full Admin down to Member
- Product levels — their level for each of the four products, editable in place
- Access ledger — a read-only list of every specific item they can touch: which job postings, which reports, which campaigns, and since when
Reading the access ledger
The ledger answers “what can this person access, and where?” without clicking through four products. Each entry names the item, the product it belongs to, and the date access was granted. Use it to:
- Prepare for a security or compliance audit
- Double-check a contractor only sees what they should
- Review everything a departing member touches before offboarding
Requesting Access
When a member opens a product they don’t have access to, they see an access-denied screen — not an error, a door. It includes a one-click Request access button that notifies all Account Admins. The admin can then grant a level from the Modules matrix or the member’s access page.
Offboarding a Member
When someone leaves, open their member access page. You have two options:
| Action | What happens |
|---|---|
| Revoke all access | Keeps their seat but strips every product level and every individual grant in the ledger. Good for leave-of-absence or role changes. |
| Remove from account | Removes them from the team entirely. |
If the person is the sole owner of something — the only hiring manager on a posting, the only assignee on a report — Kit won’t leave those items orphaned. Before completing the revoke or removal, it asks you to pick who takes over, and reassigns everything in the same step.
Warning
Revocation strips everything at once and doesn’t keep an undo list. After “Revoke all access”, the member’s individual grants are gone — restoring them means re-adding each one by hand. Review their access ledger before revoking, and choose successors carefully during reassignment: once ownership moves, the previous owner is fully detached from those items.
Do / Don’t
| Do | Don’t |
|---|---|
| Use roles to set levels consistently across similar people | Hand-pick sixteen cells per person when a role covers 90% of it |
| Review the access ledger before offboarding | Remove a member blind — sole-owned items will force a reassignment prompt anyway |
| Use “Revoke all access” for leave or role changes | Remove someone from the account when they’re coming back |
| Leave levels unset for members who need standard access | Set “No access” everywhere as a default — that’s what revoke is for |
Quick Checklist
- Open Settings → Team → Modules and review every member’s row
- Apply roles for common jobs, then fine-tune individual cells
- Flip the account admin toggle only for people who manage the team
- Spot-check a member’s access page and ledger to confirm it matches expectations
- Tell your team about the Request access button so denials don’t become support tickets
- At offboarding: review the ledger, pick “Revoke all access” or “Remove from account”, and assign successors for sole-owned items