Managing DatoCMS project members involves inviting new users, assigning appropriate roles, and securely removing access when needed. This guide covers the complete lifecycle of DatoCMS user management with security best practices.
Prerequisites
Before managing DatoCMS project members:
- Owner or Admin role - Required to invite/remove members
- DatoCMS account - Valid account at datocms.com
- Project access - Access to project settings
- Role understanding - Review DatoCMS Roles and Permissions
- Approval process - Documented procedure for granting access
Adding New Project Members
Step 1: Prepare New User Information
Collect Required Information:
- Full name
- Email address (must have or create DatoCMS account)
- Desired role (Admin, Editor, SEO Editor, Translator, Read-only)
- Environment(s) to grant access to
- Manager approval documentation
- Start date and expected access duration
Verify Prerequisites:
- User has or will create a DatoCMS account
- User has legitimate business need for project access
- Appropriate role selected (principle of least privilege)
- Approval obtained from project owner or manager
Step 2: Send Invitation
Via DatoCMS Dashboard
Navigate to Project Settings
- Log in to datocms.com
- Select your project
- Click Settings in the left sidebar
- Click Collaborators or Team
Click "Add collaborator"
- Button located in top-right corner
- Opens invitation modal
Enter User Details
- Email address - Enter valid email (required)
- Role - Select from dropdown:
- Admin
- Editor
- SEO Editor
- Translator
- Read-only
- Environments - Select which environments user can access
- Primary environment
- Sandbox environments
Send Invitation
- Click Send invitation
- DatoCMS sends email with invitation link
- Invitation expires after 7 days
Invitation Email Contents:
Subject: You've been invited to join [Project Name] on DatoCMS
You've been invited to join [Project Name] as [Role].
[Accept Invitation Button]
This invitation expires in 7 days.
Invitation Best Practices
- Document invitation - Log who invited, when, role, and justification
- Notify user separately - Send context about their role and responsibilities
- Include onboarding - Share project documentation, content model guides, workflows
- Set expectations - Explain content structure, modular blocks, publishing process
Step 3: User Accepts Invitation
User Actions:
- Receive invitation email
- Click Accept Invitation button
- Create DatoCMS account or log in to existing account
- Accept project invitation
- Gain access to project and assigned environments
First Login Experience:
- User sees DatoCMS project dashboard
- Access to assigned environments
- Role-based permissions applied
- Can create/edit content based on role
Step 4: Configure User Access and Permissions
Administrator Actions (Optional but Recommended):
Verify User Access
- Navigate to Settings → Collaborators
- Verify user appears in collaborator list
- Check:
- Email correct
- Role appropriate
- Environment access correct
Configure Environment Access
- Click user in collaborator list
- Select environments user can access
- Save changes
Set Up API Tokens (if needed)
- Navigate to Settings → API Tokens
- Create token for user if needed for development
- Assign appropriate permissions
- Set environment scope
New User Onboarding Checklist:
- Invitation accepted and account created
- Role verified and appropriate
- Environment access configured
- API token created (if needed)
- Project documentation reviewed
- Content model and structure understood
- Modular blocks and components covered
- Publishing workflow explained
- Communication channels added (Slack, email lists)
Managing Existing Project Members
Update User Role
When to Change Roles:
- Promotion or increased responsibilities
- Temporary role elevation for specific project
- Role reduction due to performance or security concerns
- Transition from Read-only → Editor after trust established
Steps to Change Role:
- Navigate to Settings → Collaborators
- Click on user to modify
- Click Edit or gear icon
- Select new role from dropdown
- Click Save
- User sees new permissions immediately
Role Change Notifications:
- DatoCMS may or may not notify user of role changes
- Manually notify user via email or Slack
- Document role change with justification
- Update access control spreadsheet/documentation
Security Considerations:
- Elevating role: Ensure proper approval obtained
- Reducing role: Notify user and document reason
- Temporary elevation: Set calendar reminder to revert role
- Review role changes monthly
Update Environment Access
Steps to Modify Environment Access:
- Go to Settings → Collaborators
- Click user
- Under Environment access, select/deselect environments
- Click Save
Best Practices:
- Grant access only to needed environments
- Primary environment: Limit to trusted members
- Sandbox environments: More permissive access
- Regular audits of environment permissions
Transfer Content Ownership
When to Transfer Content:
- User leaving organization (assign content to remaining staff)
- Reorganization or team changes
- Content cleanup or archival
Steps:
- Identify content created by user
- Update author/owner fields in records
- Reassign scheduled publications
- Update workflow approvals
Removing Project Members
Step 1: Pre-Removal Checklist
Before Removing User:
- Content reviewed (check for critical records)
- User notified of access removal (if appropriate)
- API tokens revoked (if user had tokens)
- Webhooks updated if user-specific
- Integration credentials changed (if user knew them)
- Documentation updated (remove from team lists)
- Access to related tools removed (Vercel, Netlify, etc.)
Export User Data (Optional but Recommended):
- List of content created by user
- Activity history
- Roles and permissions snapshot
Step 2: Remove User from Project
Via DatoCMS Dashboard
Navigate to Collaborators
- Settings → Collaborators
Locate User to Remove
- Find user in collaborator list
- Click on user name or gear icon
Remove Collaborator
- Click Remove collaborator button
- Warning appears: "Are you sure?"
- Explains consequences:
- User loses project access immediately
- Content created by user remains
- Action cannot be undone easily
- Click Remove to confirm
Immediate Effects:
- User cannot access DatoCMS project
- User cannot edit content
- User removed from collaborator list
- All content created by user remains
- API tokens created by user remain active (must revoke separately)
What is NOT Deleted:
- Records created or edited by user
- Content model changes made by user
- Assets uploaded by user
- Activity logs
Step 3: Post-Removal Actions
Verify Removal:
- Check Collaborators - user gone
- Test with removed user account (should show no access)
- Verify in activity logs
Clean Up:
Revoke API Tokens
- Navigate to Settings → API Tokens
- Find tokens created by or for user
- Click Delete on each token
- Confirm revocation
Update Webhooks
- Navigate to Settings → Webhooks
- Remove or update user-specific webhooks
- Update webhook URLs if needed
Revoke Related Access
- Remove from hosting platform (Vercel, Netlify)
- Remove from GitHub repository
- Remove from deployment pipelines
- Remove from monitoring tools
- Revoke access to environment variables
Security Hardening:
- Change shared credentials they knew
- Rotate API keys if exposed
- Review project for unauthorized changes
- Check for malicious content model modifications
- Audit recent record changes
Access Control Best Practices
Regular Audits
Monthly Review:
- List all project collaborators
- Verify roles still appropriate
- Check for inactive accounts
- Remove former employees still listed
- Review API token usage
Quarterly Deep Audit:
- Review all Admin accounts
- Verify environment access permissions
- Check for anomalous activity in logs
- Update access documentation
- Review integration credentials
Annual Compliance:
- Full collaborator list review with HR
- Document all access grants/removals
- Verify against employee roster
- Archive audit trail
Documentation Requirements
Maintain Project Access Log:
| Date | Action | User Email | Role | Environment Access | Approved By | Reason | Removed Date |
|---|---|---|---|---|---|---|---|
| 2024-01-15 | Added | editor@example.com | Editor | Primary, Staging | Jane (Admin) | New hire - content team | |
| 2024-02-20 | Role Change | editor@example.com | Admin | All | Jane (Admin) | Promotion to content lead | |
| 2024-06-10 | Removed | contractor@example.com | Read-only | Staging | Jane (Admin) | Contract ended | 2024-06-10 |
Include in Documentation:
- Who requested access
- Business justification
- Approval chain
- Date granted
- Initial role and environment access
- Any role/access changes with dates
- Date removed (if applicable)
- API tokens created
Common Issues
Issue: Invitation Email Not Received
Solutions:
- Check spam/junk folder
- Verify email address is correct
- Resend invitation (remove and re-invite)
- Try different email provider (Gmail, Outlook)
- Contact DatoCMS support
Issue: Cannot Remove Admin
Solution:
- Must have at least one Admin
- Promote another user to Admin first
- Then remove original Admin
Issue: User Still Has Access After Removal
Solutions:
- Clear browser cache and cookies
- Wait 5-10 minutes for changes to propagate
- Revoke API tokens separately
- Contact DatoCMS support if persists
Issue: Lost Access to Project
Solution:
- Contact another Admin
- Use "Request access" if available
- Contact DatoCMS support with proof of ownership
Next Steps
- DatoCMS Roles and Permissions - Understand permission levels
- DatoCMS Integrations - Configure tracking and tools