Adding and Removing Sanity Project Members

Managing Sanity project members involves inviting new users, assigning appropriate roles, and securely removing access when needed. This guide covers the complete lifecycle of Sanity user management with security best practices.

Prerequisites

Before managing Sanity project members:

• Administrator role - Required to invite/remove members
• Sanity account - Valid Sanity.io account
• Project access - Access to Sanity project settings
• Role understanding - Review Sanity Roles and Permissions
• Approval process - Documented procedure for granting access

Adding New Project Members

Step 1: Prepare New User Information

Collect Required Information:

• Full name
• Email address (must have or create Sanity account)
• Desired role (Administrator, Editor, Contributor, Viewer)
• Project(s) to grant access to
• Manager approval documentation
• Start date and expected access duration

Verify Prerequisites:

• User has or will create a Sanity account
• User has legitimate business need for project access
• Appropriate role selected (principle of least privilege)
• Approval obtained from project owner or manager

Step 2: Send Invitation

Via Sanity Manage (manage.sanity.io)

1. Navigate to Project Settings

   • Log in to manage.sanity.io
   • Select your project
   • Click Project members in the left sidebar

2. Click "Invite Member"

   • Button located in top-right corner
   • Opens invitation modal

3. Enter User Details

   • Email address - Enter valid email (required)
   • Role - Select from dropdown:
     • Administrator
     • Editor
     • Contributor
     • Viewer (Custom role)
   • Datasets - Select which datasets user can access

4. Send Invitation

   • Click Send invitation
   • Sanity sends email with invitation link
   • Invitation expires after 7 days

Invitation Email Contents:

Subject: You've been invited to join [Project Name] on Sanity

You've been invited to join [Project Name] as [Role].

[Accept Invitation Button]

This invitation expires in 7 days.

Invitation Best Practices

• Document invitation - Log who invited, when, role, and justification
• Notify user separately - Send context about their role and responsibilities
• Include onboarding - Share project documentation, schema guides, workflows
• Set expectations - Explain content modeling, GROQ queries, deployment process

Step 3: User Accepts Invitation

User Actions:

1. Receive invitation email
2. Click Accept Invitation button
3. Create Sanity account or log in to existing account
4. Accept project invitation
5. Gain access to Sanity Studio and project datasets

First Login Experience:

• User sees Sanity Studio (if Editor+)
• Access to project datasets
• Role-based permissions applied
• Can query content via GROQ/GraphQL

Step 4: Configure User Access and Permissions

Administrator Actions (Optional but Recommended):

1. Verify User Access

   • Navigate to Project members
   • Verify user appears in member list
   • Check:
     • Email correct
     • Role appropriate
     • Dataset access correct

2. Configure Dataset Access

   • Click user in member list
   • Select datasets user can access
   • Save changes

3. Set Up API Tokens (if needed)

   • Navigate to API → Tokens
   • Create token for user if needed for development
   • Assign appropriate permissions

New User Onboarding Checklist:

• Invitation accepted and account created
• Role verified and appropriate
• Dataset access configured
• API token created (if needed)
• Project documentation reviewed
• Schema and content types understood
• GROQ query basics covered
• Deployment process explained
• Communication channels added (Slack, email lists)

Managing Existing Project Members

Update User Role

When to Change Roles:

• Promotion or increased responsibilities
• Temporary role elevation for specific project
• Role reduction due to performance or security concerns
• Transition from Contributor → Editor after trust established

Steps to Change Role:

1. Navigate to Project members in Sanity Manage
2. Click on user to modify
3. Click Edit role
4. Select new role from dropdown
5. Click Save
6. User sees new permissions immediately

Role Change Notifications:

• Sanity does NOT notify user of role changes
• Manually notify user via email or Slack
• Document role change with justification
• Update access control spreadsheet/documentation

Security Considerations:

• Elevating role: Ensure proper approval obtained
• Reducing role: Notify user and document reason
• Temporary elevation: Set calendar reminder to revert role
• Review role changes monthly

Update Dataset Access

Steps to Modify Dataset Access:

1. Go to Project members
2. Click user
3. Under Dataset access, select/deselect datasets
4. Click Save

Best Practices:

• Grant access only to needed datasets
• Production dataset: Limit to trusted members
• Development dataset: More permissive access
• Regular audits of dataset permissions

Transfer Content Ownership

When to Transfer Content:

• User leaving organization (assign content to remaining staff)
• Reorganization or team changes
• Content cleanup or archival

Note: Sanity doesn't have built-in "content ownership" like some CMSes. Content is associated with the project, not individual users. However, you can track authorship via:

1. Author References in Schema:

// Query content by author
*[_type == "post" && references($authorId)]

2. Document Metadata:

// Documents created or updated by user
*[_type == "post" && _updatedBy == $userId]

Removing Project Members

Step 1: Pre-Removal Checklist

Before Removing User:

• Content reviewed (check for critical documents)
• User notified of access removal (if appropriate)
• API tokens revoked (if user had tokens)
• Webhooks updated if user-specific
• Integration credentials changed (if user knew them)
• Documentation updated (remove from team lists)
• Access to related tools removed (Vercel, Netlify, etc.)

Export User Data (Optional but Recommended):

• List of documents created by user
• GROQ queries saved by user
• Activity history
• Roles and permissions snapshot

Step 2: Remove User from Project

Via Sanity Manage

1. Navigate to Project Members

   • Sanity Manage → Project → Project members

2. Locate User to Remove

   • Find user in member list
   • Click on user name

3. Remove Member

   • Click Remove from project button
   • Warning appears: "Are you sure?"
   • Explains consequences:
     • User loses project access immediately
     • Content created by user remains
     • Action cannot be undone easily
   • Click Remove to confirm

Immediate Effects:

• User cannot access Sanity Studio
• User cannot query project datasets
• User removed from project member list
• All content created by user remains
• API tokens created by user remain active (must revoke separately)

What is NOT Deleted:

• Documents created or edited by user
• Schema changes made by user
• Assets uploaded by user
• Deployment history
• Activity logs

Step 3: Post-Removal Actions

Verify Removal:

• Check Project members - user gone
• Test with removed user account (should show no access)
• Verify in activity logs

Clean Up:

1. Revoke API Tokens

   • Navigate to API → Tokens
   • Find tokens created by or for user
   • Click Revoke on each token
   • Confirm revocation

2. Update Webhooks

   • Navigate to API → Webhooks
   • Remove or update user-specific webhooks
   • Update webhook URLs if needed

3. Revoke Related Access

   • Remove from hosting platform (Vercel, Netlify)
   • Remove from GitHub repository
   • Remove from deployment pipelines
   • Remove from monitoring tools
   • Revoke access to environment variables

Security Hardening:

• Change shared credentials they knew
• Rotate API keys if exposed
• Review project for unauthorized changes
• Check for malicious schema modifications
• Audit recent document changes

Bulk User Management

Bulk Invite (Not Native)

Sanity lacks bulk invite UI. Options:

Option 1: Repeat Invitation Process

• Manually invite each user via Project members
• Time-consuming but reliable
• Recommended for small teams

Option 2: Sanity CLI (Advanced)

# Install Sanity CLI
npm install -g @sanity/cli

# Login
sanity login

# Use management API (requires custom script)
# See: https://www.sanity.io/docs/management-api

Option 3: Management API

// Use Sanity Management API
// Requires admin token and custom implementation
const sanityClient = require('@sanity/client')

const client = sanityClient({
  projectId: 'your-project-id',
  dataset: 'production',
  token: 'your-admin-token',
  useCdn: false,
})

// Invite users programmatically
// See: https://www.sanity.io/docs/management-api

Bulk Removal

Manual Approach:

1. List users to remove
2. Remove users one-by-one via Sanity Manage
3. Revoke API tokens for each
4. Document all removals

API Approach: (Advanced)

• Use Management API for bulk operations
• Requires custom implementation
• Not officially documented for bulk removal

Access Control Best Practices

Regular Audits

Monthly Review:

• List all project members
• Verify roles still appropriate
• Check for inactive accounts
• Remove former employees still listed
• Review API token usage

Quarterly Deep Audit:

• Review all Administrator accounts
• Verify dataset access permissions
• Check for anomalous activity in logs
• Update access documentation
• Review integration credentials

Annual Compliance:

• Full member list review with HR
• Document all access grants/removals
• Verify against employee roster
• Archive audit trail

Documentation Requirements

Maintain Project Access Log:

Include in Documentation:

• Who requested access
• Business justification
• Approval chain
• Date granted
• Initial role and dataset access
• Any role/access changes with dates
• Date removed (if applicable)
• API tokens created

Security Incidents

If User Account Compromised:

1. Immediate Actions:

   • Remove user from project immediately
   • Revoke all API tokens
   • Review recent activity logs
   • Check for unauthorized content/schema changes
   • Verify no malicious webhooks added

2. Investigation:

   • Determine scope of compromise
   • Check if API keys exposed
   • Review dataset modifications
   • Verify no data exfiltration

3. Remediation:

   • Restore any damaged content
   • Rotate all shared credentials
   • Reset project API tokens
   • Notify affected team members

4. Prevention:

   • Implement stronger access controls
   • Regular security training
   • Audit access quarterly
   • Use principle of least privilege

Sanity Cloud vs Self-Hosted

Sanity Cloud

• User management via Sanity Manage only
• No direct database access
• Roles enforced by Sanity platform
• SSO available on Enterprise plan
• Support can assist with access issues

Self-Hosted (Sanity Studio)

• User management still via Sanity.io
• Project members managed in Sanity Cloud
• Studio can be self-hosted
• API access controlled via tokens
• Custom authentication possible with API

Common Issues

Issue: Invitation Email Not Received

Solutions:

1. Check spam/junk folder
2. Verify email address is correct
3. Resend invitation (remove and re-invite)
4. Try different email provider (Gmail, Outlook)
5. Check with Sanity support

Issue: Cannot Remove Administrator

Solution:

• Must have at least one Administrator
• Promote another user to Administrator first
• Then remove original Administrator

Issue: User Still Has Access After Removal

Solutions:

• Clear browser cache and cookies
• Wait 5-10 minutes for changes to propagate
• Revoke API tokens separately
• Contact Sanity support if persists

Issue: Lost Access to Project

Solution:

• Contact another Administrator
• Use "Request access" in Sanity Manage
• Contact Sanity support with proof of ownership

Next Steps

• Sanity Roles and Permissions - Understand permission levels
• User Management Overview - Governance and access control
• Sanity Integrations - Configure tracking and tools

Related Resources

• Sanity Project Management
• Sanity Management API
• Sanity Security Best Practices