Read-Only, Comment, or Edit? A CMO's Guide to Choosing the Right Document Permission Level
Firma Editorial
Document Security Expert
TL;DR
Default to view-only for all client-facing documents. Use comment access only for structured review phases with defined close dates. Edit access belongs to your team, not clients. Download access creates permanent uncontrolled copies — use it deliberately, not by default.
Read-Only, Comment, or Edit? A CMO's Guide to Choosing the Right Document Permission Level
Permission levels are the most fundamental document access control decision. Most CMOs set them on autopilot — sharing the same way they always have, without thinking through the implications of each level.
Here's a systematic guide to making these decisions correctly.
The Four Permission Levels and Their Risks
View Only (Read-Only)
What it allows: The recipient can see the document but cannot edit, comment (in most configurations), or share it.
Best for: All client-facing deliverables — strategy documents, reports, presentations, analyses. Any document where you want the client to consume the work, not modify it.
Risk if too restrictive: Almost none. Clients can always ask questions in a meeting or via message; they don't need edit access to engage with your work.
Risk if you should have used it but didn't: Client edits your deliverable, creating a version that no longer represents your work. Client adds comments visible to others. Client sees your internal revision history.
Comment Only
What it allows: The recipient can add comments but not edit the core content. Comments are visible to all collaborators.
Best for: Structured review phases — "please leave your feedback on this draft by Friday." Works well for early-stage creative feedback.
Risk: All comments are visible to all people with access to the document. If multiple clients have access (they shouldn't, but in a messy Drive setup they sometimes do), their feedback becomes mutually visible. Also: comments persist until deleted, creating a permanent record of internal deliberations.
Recommendation: Use for internal team reviews. For client feedback, consider a dedicated feedback channel (a form, a meeting, a comment layer in your portal) rather than native document comments.
Edit (Full Access)
What it allows: The recipient can change the document content, add and delete content, and share the document further.
Best for: Internal team members actively collaborating on a document.
Not appropriate for: Clients, contractors (unless it's their work product), or anyone outside your immediate team.
Risk: A client with edit access can modify your deliverable, making it ambiguous whether the document represents your work or a client-modified version. They can also access your full revision history.
Download
What it allows: The recipient can save a local copy of the document.
Best for: Final deliverables that the client explicitly needs locally (e.g., a brand guidelines PDF they'll distribute to printers).
Risk: Downloaded copies are permanent and uncontrolled. You cannot update them, revoke them, or know who has them. Every download creates a frozen, untracked copy of your work.
Recommendation: Disable download by default. Enable it only for specific final deliverables, as a deliberate decision, not a default.
The Default Stack
| Situation | Permission level |
|---|---|
| Ongoing deliverables, active engagement | View only |
| Draft review phase | Comment (internal) / View only (client) |
| Internal team collaboration | Edit |
| Final archival deliverables | View only + Download (one-time) |
| Sensitive IP-containing documents | View only, no download |
Frequently Asked Questions
Should clients ever have edit access to documents a CMO creates?
Rarely. The only case where client edit access makes sense is for documents that are genuinely collaborative — an onboarding questionnaire, a shared planning document — where the client is adding their own data, not modifying your work. For deliverables that represent your strategic output, view-only is the right default.
What happens if a client has comment access to a Google Doc?
With comment access, the client can add, resolve, and see all comments on the document — including comments from your team that may not have been intended for the client. Comments are visible to all collaborators regardless of when they were added. This is a common source of embarrassing disclosures.
Can you give a client view-only access without them being able to download the file?
In Google Docs, view access allows printing and some downloading options by default. To prevent download, you need to go into the sharing settings and check "Prevent editors and commenters from changing access and adding new people" and then also disable "Download, print, and copy." In a client portal like Firma, download controls are a configurable permission separate from view access.