# Access and permission issues

This page covers common access and permission problems, with steps to diagnose and resolve them.

## "Access denied" on login[​](#access-denied-on-login "Direct link to \"Access denied\" on login")

When users cannot log in or receive "Access denied" after entering credentials:

1. **Check account status** - verify the user account is active (not deactivated) in the Users list
2. **Check workspace membership** - the user must be a participant in the workspace they are trying to access
3. **Clear browser cookies** - stale session cookies can cause repeated login failures. Ask the user to clear cookies for the Comind.work domain and try again
4. **Check SSO configuration** - if using Single Sign-On, verify the SSO provider is correctly configured and the user's identity maps to their Comind.work account
5. **Check for multiple login attempts** - some configurations may temporarily lock accounts after repeated failed attempts

## User cannot see certain records[​](#user-cannot-see-certain-records "Direct link to User cannot see certain records")

When a user reports they cannot see records that others can see:

1. **Check record permissions** - open the record and review the Permissions field. It may be set to "Limited" with specific users/groups
2. **Check group membership** - verify the user belongs to the correct groups. Navigate to the Groups app in the workspace to review membership
3. **Check app-level permissions** - some apps restrict visibility based on group membership. Review app permissions in workspace admin settings
4. **Check field-level permissions** - individual fields may be hidden from certain groups. A user might see the record but not all of its fields

## User cannot edit or perform actions[​](#user-cannot-edit-or-perform-actions "Direct link to User cannot edit or perform actions")

When a user can view records but cannot edit fields or perform actions:

1. **Check action preconditions** - some actions (like "Reopen" or "Close") require the user to be in a specific group (e.g., Supervisors)
2. **Check field editability** - fields can be configured as read-only for certain groups
3. **Check record state** - some fields become read-only in certain states (e.g., closed records may not be editable)

## New user cannot access the system[​](#new-user-cannot-access-the-system "Direct link to New user cannot access the system")

When a newly invited user reports problems:

1. **Check invitation email** - verify the user received and followed the invitation link
2. **Check account activation** - the user must complete account activation (set password or connect SSO)
3. **Verify workspace membership** - confirm the user was added as a participant to the correct workspace(s)
4. **Check group assignment** - new users may need to be added to specific groups to see apps and records

## Related[​](#related "Direct link to Related")

* [Permissions matrix](/admin-guide/workspace-admin/permissions-matrix.md) - complete reference of permission levels and common access patterns
* [Manage groups and permissions](/admin-guide/workspace-admin/manage-groups-permissions.md) - how to configure per-app, per-record, and per-field permissions
* [ACL evaluation order](/admin-guide/system-admin/acl-evaluation-order.md) - how the four access control layers are evaluated and interact