Can a workspace Admin be blocked from a specific project?

Yes. Set the project's ACL to exclude workspace Admins explicitly. Useful for client confidentiality agreements.

Does removing a user from an ACL revoke active sessions?

Yes. Active sessions are invalidated within 5 minutes of ACL change.

Are project ACL changes logged?

Yes. Every ACL change is in the workspace audit log with before/after and actor.

Can clients see other clients' projects by accident?

Not if you use Client Viewer role scoped to their project only, the default secure configuration.

Project Access Control, Scope Visibility by Project, Tag and IP

Restrict who can see which projects using per-project ACLs, tag-based access groups, and (on Enterprise) IP allowlists. Useful for agencies handling competing clients in the same workspace.

November 17, 20252 min read

Three layers of access control
Per-project ACL
Access groups
IP allowlists (Enterprise)
Common scenarios
Overview
Step-by-step setup
Advanced tips
Frequently Asked Questions

Three layers of access control

Project access is checked at three layers, in this order. A user must pass all three to see a project.

Workspace membership, are they in the workspace at all?
Project ACL, are they explicitly assigned to this project (or workspace-wide Admin)?
Network policy, IP allowlist or SSO requirement (Enterprise)

Per-project ACL

Open any project > Settings > Access. Add users or groups, set per-project role. Overrides workspace-level role for that project.

Add individual users by email
Add access groups (e.g. 'Acme Client Team')
Per-project role can be more permissive or more restrictive than workspace role
Default for new projects: workspace-wide Admins + Owner only

Access groups

Create reusable groups for teams that work on the same set of projects. Add/remove a person from one group instead of dozens of projects.

Settings > Team > Access Groups > Create
Assign group to multiple projects in one click
Sync from SCIM IdP groups automatically (Enterprise)
Audit log shows group-based access changes separately

IP allowlists (Enterprise)

Block project access from outside trusted IP ranges. Useful for clients with strict compliance requirements (finance, healthcare, gov).

Per-project or per-workspace allowlist
Supports IPv4, IPv6 and CIDR ranges
Bypass list for emergency admin access
Real-time block log with timestamp + attempted IP

Common scenarios

Reference patterns we see most often, copy and adapt.

Agency with competing clients, isolate projects via Access Groups per client team
Compliance-sensitive client, project-level IP allowlist + SSO requirement
External auditor, time-boxed Analyst role on 1 project, auto-revoke after 30 days
Reseller, project handed over to client, transfer Project Owner role + remove agency Admins from ACL

project access control, scope visibility by project, tag and ip | Workexe flow

1
Connect
Verify the domain, connect GSC and GA4 in two clicks.
2
Scan
Site Audit and keyword tracking start automatically.
3
Optimize
Apply recommendations from the content assistant and fix list.
4
Report
Export to PDF/Looker or email clients on a schedule.

Project Access Control, Scope Visibility by Project, Tag and IP

Three layers of access control

Per-project ACL

Access groups

IP allowlists (Enterprise)

Common scenarios

Frequently Asked Questions

Can a workspace Admin be blocked from a specific project?

Does removing a user from an ACL revoke active sessions?

Are project ACL changes logged?

Can clients see other clients' projects by accident?