BlogPricing
Clear Ideas Platform
Secure collaboration, real-time analytics, and enterprise-grade security for external stakeholders
External Collaboration & Sharing
Secure document sharing, permissions, notifications, and in-app viewing
Analytics & Insights
Real-time analytics, user journey mapping, and comprehensive reporting
Security & Compliance
Enterprise-grade security with encryption, watermarking, and audit trails
Feature Comparison
See how Clear Ideas compares to traditional VDRs and file sharing services
AI Features
AI Chat Grounded in Your Documents, Workflows, Builder, and Enhanced Search powered by leading AI models
Clear Ideas™ AI Platform
Do more with your private data with Clear Ideas' AI features.
AI Chat
Powered by industry-leading AI Models, Clear Ideas allows you to have interactive conversations with your documents.
AI Workflows
Re-imagine knowledge work and put creativity on autopilot.
AI Workflow Builder
Upload a finished document and turn it into a repeatable workflow automatically.
AI Workflow Designer
Describe what you need in plain language and AI designs the workflow for you.
AI Enhanced Search
Transform how you find information with advanced AI-powered search capabilities that understand context and meaning.
Automation & Integration
Extend capabilities with Public AI Chat, scheduled content automation, and desktop sync
Public AI Chat
Add an AI-powered chat interface for your website for lead generation and 24/7 visitor support
Content Automation
Automatically import and monitor content from external websites with scheduled imports
Desktop Sync App
Seamless two-way synchronization between your desktop and Clear Ideas cloud
Solutions
Solutions Overview
Due Diligence & Deal Rooms
Client Portals & File Exchange
Board & Investor Reporting
Audit & Compliance
AI Workflow Automation
by Industry
Mergers & Acquisitions
Financial Services
Legal & Professional Services
Manufacturing
Not for Profit Organizations
Board Management & Governance
Real Estate
Property Management
Investment Management & Capital Markets
Resources
Site Templates
Book a Demo
Support Center
Announcements
Changelog
About Clear Ideas
Security & Trust
LoginStart Free

VDR Permission Management: A Step-by-Step Guide

Step-by-step guide to setting up and managing permissions in a virtual data room for secure document access control.

Updated on March 18, 202620 min read

Permission management is the heart of virtual data room security. The ability to control exactly who can view, download, or modify each document is what separates a VDR from ordinary file sharing. Get permissions right, and your confidential information stays protected. Get them wrong, and you've created security gaps that can derail transactions and expose your organization to risk.

This guide walks through permission management in Clear Ideas step by step—from understanding the permission model to implementing common scenarios to handling complex multi-party situations.

Understanding the Clear Ideas Permission Model

Clear Ideas uses role-based access control (RBAC), where each user is assigned a permission level that determines what they can do across the entire site. This approach balances security with simplicity—you don't need to configure permissions document by document.

Permission Levels Explained

Clear Ideas offers five permission levels, each building on the previous one:

Permission Level View Download Upload Organize Manage Users & Settings
Viewer Yes No No No No
Downloader Yes Yes No No No
Uploader Yes Yes Yes No No
Editor Yes Yes Yes Yes No
Admin Yes Yes Yes Yes Yes

Let's examine each level in detail.

Viewer

Viewers can browse all content in the data room and read documents through the built-in viewer, but they cannot download files to their local device. This level works well for early-stage due diligence when you want to limit distribution, or for preliminary disclosure before definitive agreements are signed. It's also useful when you need to demonstrate that certain information exists without allowing copies to be made.

The important limitation to understand is that view-only access doesn't prevent all forms of copying. While the Clear Ideas application prevents downloads and restricts common copying methods, a determined user could still take screenshots or even photograph their screen. No software can completely prevent someone from capturing what's displayed on their monitor. This is where document watermarking becomes essential—it doesn't prevent screenshots, but it does identify the source if captured content appears where it shouldn't. We'll discuss watermarking in detail later in this guide.

Downloader

Downloaders have all Viewer capabilities plus the ability to download files to their local device. This is the most common permission level for active due diligence participants who need to review documents offline, share with colleagues, or work with materials in their own systems.

Because downloaded documents leave the controlled environment of your data room, watermarking becomes even more important at this level. Every downloaded PDF should carry identifying information about who accessed it and when. You should also monitor download patterns through your analytics dashboard—unusual activity like bulk downloads or downloads at unexpected hours can signal potential concerns worth investigating.

Uploader

Uploaders can view, download, and contribute new documents to the data room. This level is appropriate for internal team members who need to add documents, sellers' counsel uploading legal opinions, or accountants contributing financial analyses.

Keep in mind that Uploaders cannot reorganize or move content—that capability is reserved for Editors and Admins. If contributors need to restructure the data room, they'll need a higher permission level. When multiple people are uploading documents, establishing clear naming conventions becomes important to maintain organization.

Editor

Editors have full content management capabilities including the ability to organize, rename, move, and delete content in addition to all Uploader functions. This level suits data room administrators who manage content day-to-day but don't need to control who has access.

The key distinction from Admin is that Editors cannot add or remove users, nor can they change site settings like watermarking or branding. For full administrative control over both content and users, the Admin level is required.

Admin

Admins have complete control over the data room, including all content operations plus user management and site settings. This is appropriate for primary data room administrators and site owners.

Because Admin actions have broad impact across all users, limit this access to those who truly need it. Consider carefully who should have the ability to add external users or modify security settings like watermarks.

Step-by-Step: Adding Your First Users

Let's walk through the process of adding users to your Clear Ideas data room.

Step 1: Navigate to User Management

  1. Open your site in Clear Ideas
  2. Click the Users tab in the site navigation (alongside Content, Analytics, and Settings)
  3. You'll see any existing users listed here

Step 2: Add a New User

  1. Click the New User button
  2. A dialog opens for entering user details

Step 3: Enter Email Addresses

  1. Type the user's email address in the email field
  2. To add multiple users at once:
    • Enter an email address and press Tab or comma
    • The email appears as a tag
    • Continue adding up to 25 emails at once
  3. If a user already has a Clear Ideas account, their name may auto-populate

Tip: Adding multiple users with the same permission level at once saves significant time when setting up large data rooms.

Step 4: Select Sites (If Applicable)

If you're adding users from the main Users page (not within a specific site):

  1. Click the Select Site(s) dropdown
  2. Choose one or more sites for this user
  3. You can add the same users to multiple sites simultaneously

Step 5: Choose Permission Level

  1. Click the Role dropdown
  2. Select the appropriate permission level:
    • Review the description shown for each role
    • Choose the minimum level needed for the user's legitimate purpose
  3. All users added in this batch receive the same permission level

Key principle: Start with lower permissions and escalate only when necessary. It's easier to increase access than to recover from over-sharing.

Step 6: Set Expiry Date (Optional)

For time-limited access:

  1. Check the Set Expiry Date option
  2. Choose from presets (7 days, 30 days, etc.) or select a custom date
  3. Access automatically revokes when the expiry date arrives

When to use expiry dates:

  • Transaction-related access with defined timelines
  • Temporary advisors or consultants
  • Parties who may not proceed past initial review
  • Compliance with data retention policies

Note: Some account types have restrictions on expiry periods. Free accounts may be limited to shorter durations.

Step 7: Confirm and Add

  1. Review all entered information
  2. Click Add User (or Add Users for multiple)
  3. Users appear in your user list immediately

Important: Users won't receive notification until you make the site Public. This lets you add all users in advance and notify everyone simultaneously when the data room is ready.

For complete documentation, see Managing Users and Sharing a Site.

Common Permission Scenarios

Different transaction types call for different permission structures. Understanding how permissions typically map to roles helps you make consistent decisions across your data rooms.

M&A Sell-Side Data Room

In a typical M&A sale, the seller shares information with multiple potential buyers while maintaining tight control over sensitive materials. The deal team lead or primary administrator typically holds Admin rights to manage both content and users. Internal team members organizing documents need Editor access, while departments contributing documents only need Uploader permissions.

For buyer teams, the conventional approach starts everyone as Viewers during the initial phase. This lets potential buyers review materials through the built-in viewer while preventing them from taking copies until they've demonstrated serious interest. Once a buyer signs an NDA or completes a management meeting, you can upgrade them to Downloader access for the materials relevant to their stage in the process.

The multi-site approach works particularly well for M&A. You might create separate sites for marketing materials, detailed operational information, and sensitive financial data, granting access to each based on where buyers are in the process. Watermarking every PDF ensures that if documents appear outside your control, you can trace them to the source. Set expiry dates aligned with bid deadlines so access automatically terminates when the window closes.

For more on M&A-specific considerations, see VDR Best Practices for M&A Transactions.

Fundraising Data Room

Fundraising data rooms operate similarly to M&A but often with faster timelines and different expectations. Investors typically expect download capability from the beginning since they need to share materials with their investment committees and conduct detailed analysis offline. Starting investors as Downloaders rather than Viewers usually makes sense.

The founder or CFO typically serves as Admin, with finance team members and legal counsel having Uploader access to contribute documents as the round progresses. Watermarks are essential—fundraising materials circulate widely, and you want to know if your confidential projections end up with a competitor or in the press.

Set expiry dates of 30 to 60 days, aligned with your fundraising timeline. Track engagement through analytics to understand which investors are doing serious diligence versus which are merely kicking tires. This intelligence helps you prioritize follow-up and manage your pipeline effectively.

Board Portal

Ongoing board document sharing has different dynamics than transaction data rooms. Board members typically receive Downloader access since they need to prepare for meetings offline, review materials on flights, and reference documents between sessions. The corporate secretary or board liaison holds Admin rights to manage access and settings, while executive assistants preparing materials typically need Editor access.

For organizations with multiple committees, consider creating separate sites for the audit committee, compensation committee, and other groups. Each committee site contains only the materials relevant to that committee's work, and access is limited to committee members. A board member serving on the audit committee but not the compensation committee would have access to the board site and audit committee site but not the compensation site.

This multi-site approach also supports unified branding—apply your corporate logo and colors consistently across all board-related sites so directors experience a coherent, professional environment regardless of which site they're accessing. Since board access is ongoing rather than transaction-based, expiry dates usually aren't appropriate; instead, remove board members promptly when their term ends or they resign.

Legal Matter / Litigation

Legal proceedings require particularly careful access control because of privilege considerations and the sensitive nature of litigation materials. The partner or senior associate managing the matter typically holds Admin rights, with associates at Editor level for organizing documents and paralegals at Uploader level for adding materials.

Client contacts who need access to matter documents usually receive Downloader permissions. If opposing counsel requires access—as in discovery situations—their permission level depends on the specific protocols governing the exchange. Viewer access might be appropriate for review-only scenarios, while Downloader access may be required if they need to work with documents offline.

Watermark every document with user identification, including name, email, and timestamp. Set strict expiry dates aligned with matter milestones—access that continues indefinitely after a matter closes creates unnecessary risk. Document all access grants carefully since questions about who had access to what and when can become relevant to privilege analysis.

Managing Permissions Over Time

Permission management isn't set-and-forget. Active management throughout a transaction is essential.

Upgrading Permissions

To increase a user's access level:

  1. Navigate to the Users tab
  2. Find the user in the list
  3. Click to edit their profile
  4. Change the permission level to the higher role
  5. Save changes

When to upgrade:

  • Buyer proceeds to next diligence phase
  • Additional document access becomes appropriate
  • User's role in the transaction expands

Downgrading Permissions

To reduce access:

  1. Navigate to the Users tab
  2. Find the user
  3. Edit their profile
  4. Select the lower permission level
  5. Save changes

Note: Downgrading removes capabilities going forward but doesn't affect documents already downloaded.

Revoking Access

To completely remove a user:

  1. Navigate to the Users tab
  2. Find the user
  3. Remove them from the site

When to revoke:

  • Transaction party withdraws from the process
  • Access expiry date arrives (automatic)
  • Security concern arises
  • Transaction completes

Handling Access Requests

Users may request additional access. Before granting:

  1. Verify legitimacy — Is the request coming through appropriate channels?
  2. Assess need — Does the user have a legitimate business need?
  3. Consider alternatives — Can you meet the need without escalating permissions?
  4. Document the decision — Keep records of access decisions for audit purposes
  5. Grant minimum necessary — Only increase to the level actually required

Watermarking: Your Second Line of Defense

Permissions control what users can do, but watermarking protects you when documents leave your control. Even with view-only access, users can capture screen content through screenshots, screen recording, or simply photographing their display. For downloaded PDFs, the document exists entirely outside your data room. Watermarking addresses both scenarios by embedding identifying information into the document itself.

How Watermarking Complements Permissions

Think of permissions and watermarks as complementary security layers. Permissions are preventive controls that limit what actions users can take. Watermarks are detective controls that enable you to trace documents back to their source if they appear somewhere unexpected.

When a potential buyer's lawyer downloads your confidential financial projections, that PDF enters an environment you don't control. They might share it with colleagues, store it on devices with weak security, or inadvertently include it in email threads. Without watermarks, you'd have no way to identify the source if that document surfaced in the wrong hands. With watermarks showing "Jane Smith, jane@lawfirm.com, Downloaded March 15, 2026," you know exactly where to look.

Configuring Watermarks by Role

Clear Ideas lets you configure which permission levels see watermarks. A common approach is to apply watermarks to all external users (Viewers and Downloaders) while exempting internal Admins and Editors who need clean copies for operational purposes.

You can include multiple identifying elements in your watermarks: the user's name, their email address, the date and time of access, and custom text like "CONFIDENTIAL" or your company name. The more identifying information you include, the more effective the deterrent and the easier the tracing if needed.

The Psychology of Watermarks

Beyond their practical tracing function, watermarks create a psychological deterrent. Users who see their name and email stamped across every page think carefully before redistributing that document. They know that any leak can be traced directly back to them. This awareness often prevents problems that would otherwise require investigation.

For comprehensive guidance on watermark configuration, see Document Watermarking in VDRs and the Watermarks documentation.

Disabling Users vs. Removing Them

When someone should no longer have access to your data room, you have two options: disable their account or remove them entirely. The right choice depends on your circumstances.

Disabling Access

Disabling a user temporarily suspends their access while preserving their association with the site. The user remains in your user list but cannot log in or view any content. This approach makes sense when you might need to restore access later, want to preserve the complete history of who had access, or are dealing with a temporary situation like a vacation or leave of absence.

Disabling is also useful during negotiations. If a potential buyer pauses their diligence process but might return, disabling their access keeps the door open while protecting your information in the interim. When they're ready to resume, you can restore access with a single click rather than re-adding them and reconfiguring permissions.

Removing Users

Removing a user completely deletes them from the site. This is appropriate when the relationship is definitively over—a buyer has withdrawn from the process, a transaction has closed, or a consultant's engagement has ended. Removal keeps your user list clean and makes ongoing administration easier.

The audit trail preserves records of removed users' past activity, so you don't lose visibility into what they accessed while they had permission. Removal simply ends their current access and removes them from active user management.

Multi-Party Scenarios

Complex transactions often involve multiple parties who should see different information. The most effective approach in Clear Ideas is to use multiple sites strategically, giving different user groups access to different document sets while maintaining unified management and branding.

The Multi-Site Approach

Rather than trying to manage complex permission variations within a single site, create separate sites for different information categories or audience types. A typical M&A transaction might include a Marketing site containing the teaser, management presentation, and general company overview that all prospective buyers can access. Serious bidders who sign NDAs get added to a Technical site with detailed product documentation, architecture diagrams, and operational information. Parties who advance to final rounds might gain access to a Financial site containing sensitive data like detailed financials, customer contracts, and employee information.

This approach gives you complete control over who sees what. Each site has its own user list, so you can add a buyer to the Marketing and Technical sites without granting access to Financial information. When a party withdraws, you remove them from the relevant sites without affecting other users or content.

Creating a Unified Experience

Multiple sites don't have to feel disjointed. Clear Ideas supports custom branding including logos, colors, and styling that you can apply consistently across all your sites. A buyer accessing your Marketing, Technical, and Financial sites sees the same professional branded experience throughout, even though each site contains different content with different access controls.

You can also use consistent naming conventions and folder structures across sites. If your Marketing site uses folders labeled "Company Overview," "Products," and "Market Position," your Technical site might use "Architecture," "Products," and "Operations"—the shared "Products" folder name creates continuity even across separate sites.

Managing Users Across Multiple Sites

From the main Users page in Clear Ideas, you can see all users across all your sites and manage access centrally. When adding a new user, you can grant access to multiple sites simultaneously, selecting appropriate permission levels for each. This makes onboarding new parties efficient even when they need access to several sites.

Analytics aggregate across sites as well, so you can see a buyer's total engagement across all the information you've shared, not just their activity in a single site.

Staged Access with Multiple Sites

The multi-site approach works naturally with staged disclosure. New potential buyers might start with access only to the Marketing site. As they demonstrate serious interest and sign NDAs, you add them to the Technical site. Only parties in exclusivity or final negotiations get added to the Financial site.

This staged approach protects your most sensitive information while still enabling meaningful engagement with a broad set of potential parties. You never have to worry about a casual browser stumbling across detailed customer contracts or employee compensation data.

When to Use Staged Access Within a Single Site

For simpler transactions where all parties will eventually see the same information, staged access within a single site can work well. You start by adding all parties with Viewer access, then upgrade to Downloader as the process progresses. You might also add documents over time, uploading sensitive materials only after reaching certain milestones.

The limitation of this approach is that it doesn't support permanent differentiation—all parties in the site will eventually have access to all content. If you need some parties to see information that others should never see, the multi-site approach is the better choice.

Permission Management Best Practices

Start Restrictive and Escalate as Needed

Begin with lower permission levels and upgrade only when users demonstrate a legitimate need for additional access. It's always easier to grant more access than to recover from over-sharing. A buyer who starts as a Viewer can be upgraded to Downloader once they've shown serious engagement—but a buyer who received Downloader access from day one has already had the opportunity to download everything before you realized they weren't serious.

Document Every Access Decision

Maintain records of who was granted what access and when, along with the business rationale for each decision. This documentation proves valuable for compliance reviews, potential legal matters, and future reference when questions arise about how information was handled. Clear Ideas maintains complete audit trails automatically, but your own records of why decisions were made add important context.

Review Permissions Regularly

During active transactions, review permissions weekly to confirm all access levels remain appropriate. When parties exit the process, revoke their access immediately rather than waiting for a scheduled review. Before uploading particularly sensitive materials, verify your user list—you don't want to realize too late that someone who shouldn't see compensation data already has access to the site where you're about to upload it.

Set Expiry Dates by Default

External users should have expiry dates unless there's a specific reason for indefinite access. Automatic expiration ensures that access ends when it should, even if you forget to revoke it manually. It also creates clear expectations with users about how long their access will last. For ongoing relationships like board access, you can set longer expiry periods or omit them entirely, but transaction-related access should always have a defined endpoint.

Use Analytics to Inform Decisions

Clear Ideas analytics reveal who's actually engaging with your content and who isn't. Users who haven't logged in for weeks probably don't need continued access. Users downloading large numbers of documents in unusual patterns might warrant a conversation. Users who spend hours reviewing your financial statements are showing you where their attention lies. Let this data inform both your permission decisions and your broader transaction strategy.

Train Everyone Who Manages Access

Anyone administering the data room should understand the permission model thoroughly, including what each level allows and why minimum necessary access matters. They should know how to add, modify, and remove users correctly, and understand the importance of never sharing their own credentials or adding users without proper authorization. A well-trained team makes fewer mistakes that could compromise your data room's security.

Troubleshooting Common Issues

"User can't download files"

Check: Is the user assigned Viewer role? Viewers cannot download.

Solution: Upgrade to Downloader if download access is appropriate.

"User can't find the site"

Check:

  • Is the site still Private? Users aren't notified until the site is Public
  • Is the user's email correct? Typos prevent access
  • Has the user's access expired?

Solution: Verify email, check expiry, and ensure site is Public.

"User can't upload documents"

Check: Is the user assigned Viewer or Downloader? Only Uploader and above can upload.

Solution: Upgrade to Uploader or Editor if upload capability is appropriate.

"User can't add other users"

Check: Only Admin-level users can manage other users.

Solution: If the user should manage access, they need Admin permission.

"Watermarks aren't appearing"

Check:

  • Is watermarking enabled in Site Settings?
  • Is the user's role in the selected roles for watermarking?
  • Is the document format PDF? (Watermarks apply to PDFs only)

Solution: Review watermark settings and ensure the configuration matches expectations.

Permission Audit Checklist

Periodically review your data room permissions using this checklist:

  • All users have appropriate roles — No one has more access than needed
  • Inactive users removed — Parties who've exited the process no longer have access
  • Expiry dates set — External users have appropriate time limits
  • Admin access limited — Only necessary individuals have full control
  • Watermarking configured — Sensitive documents are protected
  • Analytics reviewed — No unusual access patterns
  • Documentation updated — Access decisions are recorded

Conclusion

Effective permission management protects your confidential information while enabling the collaboration that transactions require. Understanding the permission levels—and using them in combination with watermarking, expiry dates, and multi-site strategies—gives you fine-grained control over who sees what and when.

The principles underlying good permission management are straightforward: start restrictive and escalate only when needed, manage permissions actively as transactions progress, and maintain clear records of who has access and why. Combined with thoughtful use of multiple sites for different audience segments and consistent branding across your data rooms, these practices create a controlled environment where the right people have the right access at the right time.

Need help setting up your data room permissions? Start free with Clear Ideas and experience intuitive permission management designed for high-stakes transactions.

Related Articles

Ready to get started?
Share sensitive information securely with clients, auditors, and partners. Then turn approved content into cited answers, repeatable workflows, and measurable engagement.
Start Free
No credit card required
Book a Demo
Need help?
Get personalized assistance
Speak with our sales team to find the perfect plan for your organization.
Contact our sales team →
Technical support & resources
Access our comprehensive support center, documentation, and help guides.
Visit our support center →