The CMO's Complete Guide to Document Access Control: Permissions, Expiry & Revocation
Firma Editorial
Document Security Expert
TL;DR
Access control for marketing documents means three things — setting the right permission level at creation, setting an expiry date at delivery, and having a reliable revocation process at engagement close. Most CMOs do the first inconsistently and skip the other two entirely.
The CMO's Complete Guide to Document Access Control
Document access control is one of those topics that feels technical until you've experienced a document reaching someone it shouldn't, or a former client accessing work from an engagement you thought was closed six months ago. Then it becomes very practical very quickly.
For CMOs — especially fractional CMOs managing multiple concurrent engagements — access control isn't a nice-to-have. It's the foundation of professional document delivery.
What Is Document Access Control?
Document access control is the set of decisions that determine who can access a document, what they can do with it, and for how long. It has three components:
Permission level — What the recipient can do: view only, comment, edit, download, share.
Access scope — Who specifically can access: a named individual, anyone with the link, a specific team, the public.
Time boundary — How long the access is valid: indefinitely (the default), until a specific date, or until explicitly revoked.
Most document sharing decisions address the first two and ignore the third entirely. This is the root cause of zombie links, IP leakage, and the "former client can still see everything" problem.
Why CMOs Have Special Access Control Needs
A fractional CMO faces a specific access control challenge: they're delivering highly sensitive strategic work to multiple clients simultaneously, with different sensitivity levels across different documents, and engagements that start and end on an ongoing basis.
This creates a matrix of access control requirements:
- Some documents should be client-accessible for the duration of an engagement
- Some documents should be client-accessible temporarily (a strategic framework you share for a specific decision, then want back)
- Some documents should never be client-accessible (your internal methodology, your reusable templates, your cross-client benchmarks)
- All access should end cleanly when the engagement ends
Achieving this through ad-hoc Google Drive sharing is difficult. Achieving it through a managed portal with built-in access control is straightforward.
Permission Levels: Choosing the Right One
| Permission | Use case | Risk if too broad |
|---|---|---|
| View only | Client-facing deliverables, strategy documents | Lower risk — client can see but not edit |
| Comment | Collaborative working documents during engagement | Comments visible to all collaborators |
| Edit | Internal team collaboration only | Client edits can corrupt deliverables |
| Download | Reports the client needs locally | Downloaded copy is uncontrolled forever |
| Share | Never appropriate for client-facing documents | Creates entirely new access paths you can't control |
Default recommendation for client-facing documents: View only, no download. If the client needs a local copy, create a specific export event (dated, versioned) rather than granting ongoing download access.
Setting Expiry Dates: The Underused Tool
Every document shared with a client should have an expiry date. For most engagements, this means:
- Routine deliverables: Expire when the engagement ends (set at the start of the engagement based on the expected end date, adjustable as needed)
- Time-sensitive documents: Expire within a defined window (e.g., a pricing proposal expires in 14 days)
- Highly sensitive materials: Expire as soon as they've served their specific purpose (e.g., a confidential competitive analysis shared for a specific decision meeting)
This is what Firma calls "time-bomb sharing" — setting a document to self-destruct at a specific date or trigger. It's the technical implementation of the intent you already have but probably never enforce.
Revocation: The Engagement Close Imperative
The most important access control action is the one that happens last: revoking all access when the engagement ends.
This requires a process — not just a good intention. The process should include:
- A checklist of all documents shared during the engagement
- A revocation step for each one (or a single portal-level revocation if using a managed tool)
- A confirmation that no access points remain
- An archive copy of the engagement in read-only format for your own reference
Firma's "Wrap" feature executes this in one action: the client portal converts to view-only or closed, all active sharing permissions are revoked, and the engagement moves to archived status.
Building Access Control Into Your Workflow
Access control should not be a separate exercise — it should be embedded into your document workflow at three natural points:
At document creation: Decide (and record) who should have access, at what level, and for how long.
At delivery: Configure the access accordingly. If using a portal, ensure the document is in the right section with the right permissions.
At engagement close: Execute the revocation checklist. Verify no access remains.
The discipline of treating access control as a workflow step rather than an afterthought is what separates CMOs who never have document security incidents from those who discover problems months after they happened.
Frequently Asked Questions
What is the best way for a fractional CMO to manage document access across multiple clients?
Use a dedicated client portal per engagement, set access expiry dates on all sensitive documents at the time of delivery, and execute a documented revocation checklist at engagement close. This creates a reliable, repeatable process that doesn't rely on memory.
How do you revoke document access when a client engagement ends?
If you use a client portal like Firma, engagement close is a one-click action that revokes all portal access. For Google Drive-only sharing, you need to manually review all files and folders shared with the client and remove their access — or use Google Workspace Admin tools to audit and batch-revoke.
What permission level should CMOs give clients for strategic documents?
View-only is the safest default for client-facing strategic documents. It allows the client to read and use the content without being able to edit the source, add comments visible to others, or share onwards from within the document. If you need to collect client feedback, route it through a separate channel (a form, a meeting, or a comment layer in your portal) rather than by granting edit or comment access on the document itself.