Setting Up Contractor Access: Security Without Friction

The complete guide to role-based access for external collaborators

Read Time: 18 minutes

§Introduction: The Contractor Security Paradox#

Every growing game studio faces the same paradox: you need external help to ship, but external people are a security risk.

Contractors need access to design docs to do their jobs. But you don't want them seeing:

• —Unannounced features that could leak
• —Revenue projections and business strategy
• —Other clients' projects (if you're an agency)
• —Internal discussions and HR documents
• —Competitive analysis and market positioning

The traditional approach? Either over-share (risky) or under-share (unproductive). Studios either give contractors full access and hope for the best, or they spend hours manually curating what to share.

Gameframe's role-based access control (RBAC) solves this. Contractors see exactly what they need—nothing more, nothing less. And it takes 5 minutes to set up.

§Part 1: Understanding Role-Based Access Control#

The Three-Layer Model#

Gameframe's access control has three layers:

Layer 1: Roles

What can someone DO? (View, edit, comment, admin, etc.)

Layer 2: Tags

What DOCUMENTS are relevant? (Character art, level design, balance, etc.)

Layer 3: Visibility Rules

Which TAGS can each ROLE see?

These combine: A "Contractor" role with visibility to "character-art" tag can view and potentially edit any document tagged "character-art" but literally cannot see documents tagged "internal-only."

How It Differs From Other Tools#

Notion/Google Docs approach:

• —Share individual documents or folders
• —Each contractor needs manual sharing
• —Easy to forget and over-share
• —No automatic expiration

Gameframe approach:

• —Define visibility rules ONCE per role
• —New documents auto-inherit the right visibility
• —Expiration dates remove access automatically
• —Contractors don't see "Access Denied"—they just see their workspace

The "Clean Workspace" Philosophy#

When a contractor logs in, they see:

• —A sidebar with relevant sections only
• —Documents they can access
• —Search that only returns accessible docs
• —Version history for documents they can see

What they don't see: Any hint of what they can't access. No "Access Denied" messages. No grayed-out folders. No "you don't have permission" popups.

From their perspective, the vault contains exactly what they need. Nothing more.

§Part 2: Setting Up Roles#

Step 1: Create the Contractor Role#

If you haven't already created a contractor role:

1. 1.Open your vault
2. 2.Go to Settings → Roles
3. 3.Click Create Role
4. 4.Configure the role:

Name: "Contractor" (or "External", "Partner", etc.)

Permissions:

Step 2: Configure Visibility Rules#

With the role created, set what tags this role can see:

1. 1.In the role settings, find "Visible Tags"
2. 2.Add the tags contractors should see
3. 3.Save

Example for a character artist contractor:

• —✅ "character-art"
• —✅ "art-reference"
• —✅ "contractor-onboarding"
• —❌ "internal" (not added, so invisible)
• —❌ "roadmap" (not added, so invisible)

Built-In Roles#

Gameframe provides starter roles you can customize:

• —Admin - Full access to everything
• —Editor - Can edit but not manage
• —Viewer - Read-only access
• —Contractor - Limited scope, time-bound

You can modify these or create your own.

§Part 3: Organizing Documents with Tags#

The Tag System#

Tags are how you organize documents for visibility. Think of them as labels that determine who sees what.

Good tagging strategy:

Tagging Best Practices#

1. Tag when you create

Get in the habit: create document → immediately add relevant tags.

2. Use multiple tags

A character spec might be tagged: "character-art" + "external-safe" + "project-x"

3. Create contractor bundles

Before a contractor starts, create their visibility:

• —"contractor-sarah-art" for Sarah's project
• —"contractor-mike-audio" for Mike's audio work

4. Audit regularly

Monthly, check: which docs have sensitive tags? Are any missing tags?

Mass Tagging#

For efficiency, you can tag multiple documents at once:

1. 1.Go to Documents view
2. 2.Select multiple documents (checkboxes)
3. 3.Click Bulk Actions → Add Tags
4. 4.Apply tags to all selected

Great for preparing a contractor's workspace quickly.

§Part 4: Inviting Contractors#

Step-by-Step: Sending an Invite#

1. 1.Go to Team → Invite Member
2. 2.Enter the contractor's email address
3. 3.Select their Role (e.g., "Contractor" or a custom role)
4. 4.Set an expiration date (critical!)
5. 5.Add a welcome message (optional but nice)
6. 6.Click Send Invite

The invite email includes:

• —Link to accept the invitation
• —Your vault name
• —The welcome message you wrote

Setting Expiration Dates#

Always set an expiration date. Even if you're not sure when the contract ends.

Why?

• —You'll forget to remove access manually
• —Contracts get extended — you can extend the date too
• —Peace of mind — access won't linger forever

Recommended settings:

• —Fixed contract: Contract end date + 1 week
• —Open-ended: 3 months (review and extend)
• —One-time task: Task completion date + 3 days

What Happens at Expiration#

On the expiration date at midnight (vault timezone):

1. 1.Contractor's session is terminated
2. 2.Their access is revoked
3. 3.They receive an email notification
4. 4.They can no longer see any documents

You'll receive a notification: "Sarah Chen's access to Project X expired."

Extending Access#

Need to extend?

1. 1.Go to Team → Members
2. 2.Find the contractor
3. 3.Click Edit → Extend Access
4. 4.Set new expiration date
5. 5.Save

They're notified of the extension.

§Part 5: What Contractors Experience#

Their First Login#

When a contractor accepts your invite and logs in:

1. 1.Clean onboarding: They see a welcome screen, not overwhelming options
2. 2.Focused sidebar: Only sections relevant to their tags
3. 3.Their documents: Only docs tagged for their visibility
4. 4.Clear context: They know they're contractors (role badge visible)

Day-to-Day Experience#

Search: They can search, but results only include accessible docs.

Navigation: The sidebar shows only sections with docs they can see.

Version history: They see history for docs they can access.

Team visibility: They see other team members who have overlapping document access (not your full team).

What They Don't Experience#

• —"Access Denied" messages
• —Grayed-out or locked documents
• —Hints about docs they can't see
• —Your full team roster
• —Admin or settings sections

From their perspective, the vault is perfectly sized for their work.

§Part 6: Real-World Scenarios#

Scenario 1: Character Artist (3-Week Contract)#

Context: You're hiring Mei Lin to create character concepts for 3 weeks.

Setup:

1. 1.Create tags:

- "character-concepts"

- "art-style-guide"

- "contractor-mei"

1. 1.Tag documents:

- Art style guide → "art-style-guide"

- Character briefs → "character-concepts"

- Reference folder → "art-style-guide"

1. 1.Configure visibility:

- Create or use "Art Contractor" role

- Visible tags: "character-concepts", "art-style-guide", "contractor-mei", "contractor-onboarding"

1. 1.Invite:

- Email: mei.lin@freelance.com

- Role: Art Contractor

- Expiration: 3 weeks + 2 days

What Mei sees:

• —Art style guide
• —Character briefs for her project
• —Onboarding docs
• —Nothing about gameplay, story, or business

Scenario 2: External QA Team (Ongoing)#

Context: You have an external QA partner testing builds weekly.

Setup:

1. 1.Create role: "QA Contractor"

- Can view: ✅

- Can edit: ❌ (they report bugs, don't change docs)

- Can comment: ✅

- Can export: ❌

1. 1.Create tags:

- "qa-relevant"

- "known-issues"

- "test-plans"

1. 1.Tag documents:

- Test plans → "qa-relevant", "test-plans"

- Known issues list → "qa-relevant", "known-issues"

- Release notes → "qa-relevant"

1. 1.Invite QA team:

- Multiple invites, all with "QA Contractor" role

- Expiration: Quarterly (review and extend)

Scenario 3: Publisher Review (Milestone Access)#

Context: Publisher needs to review milestone docs temporarily.

Setup:

1. 1.Create role: "Publisher Viewer"

- Can view: ✅

- Everything else: ❌

1. 1.Create tag: "milestone-3-review"

1. 1.Tag milestone docs:

- All docs needed for review get "milestone-3-review" tag

1. 1.Invite publisher contacts:

- Expiration: Review deadline + 1 week

After milestone: Access expires automatically. No cleanup needed.

§Part 7: Security Best Practices#

1. Principle of Least Privilege#

Give contractors the minimum access needed for their job. When in doubt, leave a tag out. They can ask for more if needed.

2. Always Use Expiration#

Even for ongoing contractors. Set a date, then extend. This forces periodic review.

3. Pre-Flight Check#

Before sending invites:

1. 1.Search for the tags they'll see
2. 2.Review every document that appears
3. 3.Look for accidentally tagged sensitive docs

4. Separate Tags for Each Contractor#

Instead of one "contractor" tag, use:

• —"contractor-mei-art"
• —"contractor-john-audio"
• —"contractor-qateam"

This way, contractors don't see each other's project docs.

5. Keep NDAs External#

Gameframe tracks what contractors access, but legal protection still matters. Ensure NDAs are signed before sending invites.

6. Review Activity Logs#

Periodically check what contractors accessed:

1. 1.Go to Activity Log
2. 2.Filter by contractor
3. 3.Review document views and downloads

§Part 8: Managing Access Over Time#

Revoking Access Early#

Project ended? Contractor issue?

1. 1.Go to Team → Members
2. 2.Find the contractor
3. 3.Click Revoke Access or Remove
4. 4.Confirm

Access is terminated immediately. Their active sessions are ended.

Extending Access#

Need more time?

1. 1.Find the contractor in Team
2. 2.Click Extend Access
3. 3.Set new expiration date

They're notified and can continue working.

Changing Roles#

Contractor promoted to editor?

1. 1.Find them in Team
2. 2.Click Edit
3. 3.Change role
4. 4.Adjust tags if needed
5. 5.Save

Changes take effect immediately.

Audit Trail#

For every contractor, Gameframe logs:

• —When they were added
• —What role they were given
• —What documents they viewed
• —What edits they made (if permitted)
• —When they were removed

This is available in Activity Log → Filter by user.

§Part 9: Common Questions#

Q: What if a contractor needs access to a new document?

A: Tag the document with their visible tags. They'll see it immediately.

Q: Can contractors see who else is on the team?

A: Only team members who share document access with them.

Q: Can I have different expiration dates for different tags?

A: Not currently. Set the earliest date and extend if needed.

Q: What if a contractor creates a document?

A: New docs inherit tags based on the folder or parent. You can adjust after.

Q: Can contractors invite other people?

A: No. Invite permissions are admin-only.

Q: What happens to their edits after access expires?

A: Their edits remain. Version history shows who made each change.

Q: Can I temporarily disable access without deleting?

A: Yes. Use Suspend instead of Remove. They can be reactivated.

§Part 10: Quick Reference#

Setup Checklist#

• —[ ] Create contractor role(s)
• —[ ] Configure role permissions
• —[ ] Set up visibility rules (which tags role can see)
• —[ ] Create contractor-specific tags
• —[ ] Tag relevant documents
• —[ ] Pre-flight check: search tags, review results
• —[ ] Send invite with expiration date
• —[ ] Document their access (for your reference)

Key Actions#

§Summary#

Gameframe's contractor access system gives you:

• —Clean separation — Contractors see only what they need
• —Automatic expiration — Access ends when contracts end
• —Full audit trail — Know exactly what was accessed
• —No friction — Contractors get a focused, professional workspace

Your contractors become productive immediately. Your sensitive information stays private. And you don't spend hours managing permissions.

That's security without friction.

Continue learning:

• —Contractor Onboarding Guide - Get contractors productive in hours, not days
• —Version Control 101 - Understand how document versioning works
• —Branching Like a Pro - Create safe spaces for contractor experiments

Ready to manage contractor access? Start your free trial and set up role-based permissions today.