Who should have what access?
There are 4 options: Administrator, General user, Guest and Restricted user.
Administrators: Admins are always the boss! They need the ability to see and change anything. They can configure the site, easily delete content, control access and more. Admins can also be any high level manager allowed to see everything. Only an Admin can invite new people to the site or remove people from the site.
General users: General Users are those you consider your staff or core team. If you make something in the site read only or read+write, these "General users" are the people who have that access. They can't see private pages unless given explicit permission, so they don't see everything. Most of all, other than the Administrators, "General users" are the only other level that can create pages. There is also an Admin setting under People settings> Default access to prevent users from adding pages and/or to prevent users from deleting the pages they own.
Guests: If you wanted to show your site to someone you trust, you can invite him or her as a "Guest". "Guests" can never see private content because there is no way to give a guest access to a specific workspace. So a "Guest" only sees what is read-only or read+write. A Guest can also never write on a page so they only see but not add. A guest also does not get email alerts for new content.
Restricted users: "Restricted users" are perfect for consultants, contractors, external team members and anyone else that doesn't need to create any new workspaces and should only access the one (or many) workspace(s) you assign.
Teams: All Administrators, General users and Restricted users can be added to teams and those teams can then be given access to workspaces. As a site is built, focus on what teams can see which workspaces. As team members change teams because of new roles and responsibilities, their access in the system will shift as well.
Pending Invitations: If you invite a team member into the site, until he or she accepts, you will give the email address access to the workspaces. Once the person accepts, their email address will be switched out for the person's name.
Sample scenario: You are sharing employee procedures which need to be seen by the whole company, except a few contractors. Meanwhile, an individual contractor and an executive use one specific project workspace to collaborate. Make the contractor a restricted user who only sees what you explicitly give access. Your staff are users who see anything not private (unless they are granted access), and you are the Admin who can see everything, anywhere. Everyone is happy! The end.
When selecting levels, here's what you will see:
During the invitation process you can select access levels - The "Site access level" options under step 2 are:
(can view and change everything on this site including private content and settings through the Admin tab)
(can add new pages and info, and can view all non-private pages - needs to be given read and/or write access to private pages)
(can view any non-private pages, but can’t add information)
(can’t see anything in this site by default and can’t add pages - needs to be given read and/or write access to each page)