/access (owner / admin only) is the current-state view of every grant in the workspace. /members shows roles + invites; /audit shows mutation events; /access is the missing third leg.
**Two query modes:**
- **By principal.** Pick a workspace member from the side panel — the page shows every row-level grant attached to them, with action / resource / effect / expiry. Owners and admins have role-derived blanket access (no row-level grants required); their per-principal view typically shows zero rows because they don't need explicit grants. Useful for offboarding (audit what to revoke), least-privilege review (does this paralegal really need write on the Smith matter?), post-incident audit (what did the compromised account have access to?). - **By resource.** Paste a document id, a collection id, or any resource pattern substring (e.g. `document/abc` or `collection/123`). The page lists every grant scoped to it with the principal name + effect. Matches by exact equality first, then substring as fallback. Useful for partner review of who's been granted on a privileged matter, pre-deposition exhibit access, quarterly access attestation for SOX / SOC 2.
**What's shown:** principal, action (read / write / share / delete / change-permission / etc.), effect (allow / deny — deny always wins at evaluation time), expiry, created-at.
**What's not shown:** role-derived blanket access. Owners and admins see every document regardless of grants; non-admin viewers / contributors / auditors see what they're explicitly granted on plus what their role tier covers. The page surfaces *row-level* grants only — the typed permissions table behind `canReadDocument`. To answer "what can this admin see?" the answer is "everything" without checking grants.
**Caps.** 200 grants per query. Tenants with bigger grant sets (think a single matter with 50+ external co-counsel each granted) refine via the resource-pattern substring search.
**Where to go from here:**
- /members — to revoke / promote / invite - /audit?actor=<userId> — to see what the user has *done*, not just what they *can do* - /compliance/reports/legal-hold-log — to confirm holds are bound to the right subjects