Skip to content

Member and access controls

What each built-in role can do, where custom roles live, and what the All Photos vs Own only scopes mean.


You want to understand or audit the team’s permission model before changing it. This is the conceptual reference for Settings → Members & Access. To actually edit a role or change a member’s role, follow the linked how-tos.

Role
Team Owner, Team Admin (to change); any member (to view)
Surface
App and Web
Plan
Free · Business

Every role in Teamspace is built from toggles in three categories:

CategoryPermissionsScope values
PHOTOSDelete photos / Move photos / View photos / Download PhotosAll Photos / Own only / Deny
PROJECTSCreate Project / Edit Project / Delete Project / Manage project accessOn / Off
TEAMInvite people to team / Remove people from teamOn / Off
RoleDescription (in the UI)Editable?
Team OwnerComplete control over TeamspaceNo. Permissions are locked, and there is exactly one Owner per team.
AdminManage projects and settingsYes. Can be customized per team.
MemberTake and view photosYes. Can be customized per team. By default, Members have “Own only” for Delete and Move, and “All Photos” for View and Download.

Roles are not a fixed list. You can add custom roles in Members & Access → Custom Roles → + Add Role with any combination of toggles.

For each PHOTOS permission, you choose what set of photos it applies to:

  • All Photos is every photo in the team, no matter who captured it.
  • Own only is just the photos this member personally captured.

The intent of “Own only” for Delete and Move on the default Member role is to prevent crew members from accidentally changing each other’s captures, while still letting them View and Download the full team library for context.

Want toRead this
Change which role someone hasManage permissions
Change what a role can doCustomize a member role
Add a brand-new roleCustomize a member role, “Create a custom role” section
Restrict a single projectManage project access
Remove someone from the teamRemove a team member

Some features that “access control” can imply on other tools are not in Timemark Teamspace today:

  • IP allow-lists: no IP-based restriction.
  • Device pinning: no per-device approval.
  • SAML / SSO: listed as an Enterprise feature, coming soon.
  • Mandatory 2FA: not a team-level toggle. Members manage 2FA on their own login.

If you need any of these, contact support to discuss the Enterprise track.

Last updated: