Skip to main content

Audit team permissions quarterly

End of the quarter. The team has changed shape: someone left, someone got promoted from rep to manager, a new CS lead joined two months ago and nobody flipped their role from Member to Manager. This play is the 15-minute quarterly audit that walks the Manage Team roster, revokes access for departures, corrects role mismatches, cross-references against the quarter’s hiring list, and queues up next quarter’s expected seat changes in a Slack note.

What to expect

  • Timing. Roughly 15 minutes for a 20-rep team.
  • Prerequisite. The admin (or RevOps lead) has access to Manage Team and a list of the quarter’s hires and departures from HR or the People system. Knowing who got promoted (or moved teams internally) helps; the audit is faster if the admin already has a mental map of who should be where.
  • Outcome. Stale seats revoked, role mismatches corrected, next-quarter seat changes captured in a written note (Slack channel, doc, wherever the team tracks these). Manage Team reflects reality for the start of next quarter.

Step-by-step

  1. Open Manage Team. From the side nav, click the Settings entry labeled Manage Team. The page lands as a single workspace with the Current Members table on top (avatar, name, email, role, per-row Remove action), and the Pending Invitations table below (only renders when at least one invite is outstanding).
  2. Walk the member list top-to-bottom. Read each row: name, role, email. The mental model the admin is building is a three-column ledger: people who should be here and have the right role (most of the team), people who should be here but have the wrong role (the audit’s first action), people who should not be here at all (the audit’s second action).
  3. For each role mismatch, flip the role inline. Click the role dropdown on the row. Member and Manager are the two options (Admin is intentionally not on this list; admins are seeded via the org-creator flow and cannot be set from this UI). Pick the right role; the page mirror-writes the change to both Clerk and the Salesforce-dependent downstream surfaces, then full-reloads to make sure the new role takes effect everywhere. The reload is the friction point: do the role changes in one pass and let the reload happen between each.
  4. For each departure, click Remove and confirm the browser prompt. The Remove button is destructive red; the browser prompts “Are you sure you want to remove this team member?” before the call goes through. On confirm the user is removed from both Clerk and Salesforce-dependent surfaces, their seat frees up, and the page reloads. Note: Admins do not show a Remove button because they cannot be modified from this UI; if an admin needs to be removed, the org-creator flow handles that path.
  5. Check the Pending Invitations table. Any invitations older than a couple of weeks are probably stale (the invitee never accepted). Use the per-row Revoke action to clear them; this both tidies the table and frees the seat count. If a pending invite is recent and the person genuinely hasn’t gotten around to accepting, leave it and nudge them in Slack instead.
  6. Cross-reference against the quarter’s hiring list. Pull the HR list and confirm that every new hire from the quarter shows up in the Current Members table. If anyone is missing, run Onboard a new teammate to add them; that play covers the Salesforce permission prerequisite plus the invite flow. The cross-reference is the catch for anyone who got hired but never got added to Katalyst because the admin was on vacation that week.
  7. Adjust the seat count if needed. If the audit cleared 3 seats and the team is not hiring back, message billing to right-size the seat count for next quarter. If the team is growing into the freed seats, leave the count as-is. The seat count itself is not edited from this page (it lives in the billing surface), but this is the right moment to make the call.
  8. Drop a note for next quarter. Slack channel, doc, wherever the team tracks these decisions. Three things the note should capture: which seats were freed, which roles changed, and which seats the admin expects to add next quarter (a rep already in interview pipeline, a CS lead the team is recruiting for, etc.). Future-you running this play in 90 days will be grateful.

Variations

If the team is small (under 10 reps), the audit is closer to 5 minutes and a quarterly cadence is overkill; run this play after any team change instead of on a fixed cadence. If the team is large (50+ reps), break the audit into two passes: a fast scan for departures (the easiest mismatch to spot, and the one with security implications), then a slower role-correctness pass against the org chart. If the rep doing this is a manager rather than an admin, all the same role changes and removals are available (the page allows managers to do everything admins can do EXCEPT touch admin rows), but the seat count step routes through the admin instead.
A dedicated screenshot of the Manage Team page (manage-team.png) with the member table and the Invite Member button visible is pending. When it lands, it should anchor step 1 (the page shell with the member table) and step 3 (the role dropdown on a non-admin row). A future product page at ../product/setup/team-and-permissions is also pending; this play references the surface in prose until that page lands.