Skip to main content
Admin Guides

Managing Workspace Access

Invite users, configure roles, set up SSO, and remove access from your Curated workspace.

Last updated May 11, 2026

This guide covers everything an admin needs to manage who can use your Curated workspace, what they can do, and how they sign in.

For: workspace admins Time to read: ~10 minutes

Roles

Curated has three roles. Pick the most restrictive role that still lets the user do their job.

| Role | What they can do | |---|---| | Viewer | Open maps, read dashboards, run prompts in read-only mode. Cannot save, export, or modify. | | Member | Everything Viewer can do, plus: run and save prompts, create maps, pin to dashboards, export. Cannot manage users or connect data sources. | | Admin | Full workspace access: manage users, roles, data connections, SSO, billing. |

Every workspace must have at least one admin. You can have multiple.

Inviting users

  1. Sign in to your workspace as an admin.
  2. Open Settings → Users from the sidebar.
  3. Click Invite users.
  4. Enter one or more email addresses. Curated supports comma-separated batches.
  5. Assign a role (default: Member).
  6. Click Send invitations.

Invited users receive an email with a sign-up link. Links expire after 7 days; you can re-send from the Users page.

Tip: If your org has SSO set up, you can skip individual invitations and let users self-join via SSO with the role you've configured as the SSO default.

Single sign-on (SSO)

SSO is available on Team and Enterprise plans. We support:

  • SAML 2.0 — Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, Ping, custom IdPs
  • OIDC — Google Workspace, custom OIDC providers

Configuring SAML SSO

  1. Open Settings → Authentication → SAML.
  2. Curated will show your ACS URL and Entity ID. Copy both.
  3. In your IdP, create a new SAML app for Curated:

- ACS URL — paste from step 2 - Entity ID — paste from step 2 - NameID formatEmailAddress - Required attributesemail, firstName, lastName

  1. Download the IdP's metadata XML and upload it back to Curated's Authentication page.
  2. Click Test SSO. A new browser tab opens; sign in via your IdP and confirm the redirect succeeds.
  3. Toggle Require SSO for all users if you want to disable email/password sign-in (recommended for production).

Configuring OIDC SSO

The flow is similar to SAML but uses OAuth credentials instead of metadata XML. Settings → Authentication → OIDC walks you through it.

JIT (Just-in-Time) provisioning

Once SSO is configured, you can enable JIT provisioning to auto-create user accounts on first sign-in. Set the default role for new SSO users before turning JIT on — otherwise new users get Member by default.

Removing access

To revoke a user's access:

  1. Settings → Users
  2. Find the user, click the menu, select Remove.
  3. Confirm. The user is signed out of active sessions within ~60 seconds.

The user's work (saved maps, dashboards) is preserved by default. If you also want to delete their content, choose Remove user and transfer content to me from the same menu.

For an offboarding workflow:

  1. Disable the user in your IdP (this prevents future sign-ins immediately).
  2. Remove them from the Curated workspace within 24 hours to free the seat.

Data source access

Even with a role assigned, users only see data sources you've explicitly granted them access to.

  • Workspace-level layers — visible to all members by default.
  • Restricted layers — admins set per-user or per-group access on the layer in Settings → Data sources.
  • User-uploaded files — only visible to the uploader unless explicitly shared.

This means a Member can be safely invited to your workspace without automatically seeing your customer-list shapefile, your sales data layer, or any other sensitive source.

Audit and activity log

Settings → Audit log shows every significant action in your workspace — sign-ins, prompts run, exports, sharing changes, role updates. Filter by user, date range, or action type. Export as CSV for compliance reviews.

The audit log retention is 90 days on Team plans, 365 days on Enterprise.

Billing implications

  • Removing a user frees their seat immediately.
  • Adding a user mid-cycle prorates the additional seat cost on your next invoice.
  • Downgrading a user from Admin to Member or Viewer has no billing impact; all paid seats cost the same.

Common pitfalls

  • Loop sign-in. Usually a SAML attribute mismatch. Confirm email is being passed as NameID in the IdP.
  • "User not found" after SSO succeeds. JIT provisioning is off and no manual invitation exists. Either enable JIT or invite the user first.
  • Admin lockout. If you remove the last admin, contact info@locaitionmatters.com and we'll restore admin access on the account-of-record.

Related

  • Getting Started with Curated
  • Sign In and Ask Your First Question
  • Security
Back to Admin Guides