Folder access control — who can see what inside the workspace

By default, every member of your org can see every file in the workspace. For folders that should be more restricted (HR documents, founder-only contracts, finance close binders), you can lock a folder down to a specific set of members.

To restrict a folder:
1. Click the folder in the tree to navigate into it.
2. Click "Folder access" in the toolbar above the grid (or right-click → "Access…").
3. By default the folder shows "Inherits from parent" — click "Restrict to specific members" and pick the members who should have access. You'll always be in the list — the system won't let you lock yourself out.
4. Save.

What "restricted" means:
• Members not in the list don't see the folder in the tree, the file rows in search results, or the files when Wally is looking up something for them.
• Restrictions cascade to everything inside — sub-folders and files inherit the parent's effective access list automatically. (You can further narrow a sub-folder, but you can't widen it past what its parent allows.)
• Org owners and admins see all folders regardless of ACL — restrict-from-admin is not supported by design (admins are responsible for the data).

To loosen a folder back to "everyone in the org":
Open Folder access and switch back to "Inherits from parent". The folder and everything in it will be visible to all org members again.

Cascade timing:
When you change a folder's ACL, a Cloud Function fans the new effective list down the tree. For most folders this completes in seconds. Very large trees (thousands of files) may take up to a minute — refresh the page to see the updated state.

Common patterns we see:
• "HR" folder restricted to founders + HR lead.
• "Founder-only" restricted to org owners.
• "Finance" restricted to the controller + bookkeeper.
• "Legal" restricted to founder + outside counsel (if they're an org member).
• Brand assets, vendor invoices, project docs — left at default (everyone) so the team can find them.

Tip:
If you want to share a single restricted file with someone who normally doesn't have access, use a public share link (see "Sharing a workspace file with someone outside your org") instead of widening the folder ACL.