User Invite Permission

Introduction

This release focuses on strengthening Unifize’s permission framework by ensuring that only authorized user roles can invite new users into the organization. The update improves the consistency of permission enforcement across metadata and checklist fields inside a record, therefore providing clearer governance, tighter access control, and preventing unintended user invitations.

What this release covers

  • Users without invite permissions were previously able to invite new email IDs from within a record via:

    • The Owner field in the record header

    • The Participants field in the record header

    • The User field inside a checklist

  • A new permission: Allow inviting users from chatroom fields has now been introduced and enforced.

    • This governs inviting users from:

      • Owner field

      • Chatroom participants/members fields

      • Checklist user fields

  • Only user roles that explicitly have this permission enabled can invite new users.

Before vs After

Area

Before

After

Inviting from Owner field

Users without invite permissions were able to invite new users by entering a new email ID.

Only roles with the new “Allow inviting users from chatroom fields” permission can invite. Others can only select existing users.

Inviting from Participants field

Unauthorized users could add new participants via email.

Unauthorized users cannot invite; APIs fail and block the invite.

Inviting via User checklist field

Users could trigger an invite flow by entering a new email.

Only permitted roles can invite from user fields; others can only search/select existing users.

Best practices

  1. Assign the invite permission only to roles that genuinely require the ability to bring new users into the org.

  2. Review role configurations for Admin, Org Member, External, and Read-only users to ensure they align with your organization’s governance policies.

Release Limitation

  1. This release improves invite-permission enforcement only for user-invite touchpoints inside a record (Owner field, Participants field, and User checklist fields). All other invite entry points, such as the Contacts page and Admin settings, remain unaffected by this update.

  2. Any records where unauthorized users had already added new users remain unchanged.

  3. Users who lack invite permissions may still see the option to type an email, but the action will fail via error response.

PreviousJanuary 2026NextSquare bracket on approval notification

Last updated