Two ways to grant a teammate access in Kodori:
**Per-document share** — On the document page, scroll to "Access" and enter a teammate's email. Use this when you only want to expose one document.
**Collection-level share** (best for matters and projects) — On any /collections/[id] page, the "Collection access" section lets owners and admins share the entire collection with a teammate in one click. Every document pinned to the collection (and any pinned later) becomes readable for that teammate. A 200-doc matter is one grant, not 200.
Either action records as a "permission.granted" event in the audit log. The doc-detail Access panel surfaces both kinds — explicit document grants AND inherited grants from collection membership — with a link back to the collection so it's always clear where each grant lives.
The teammate must already be a member of the workspace (use /members to invite first if not). Revoke with one click from the same surface that issued the grant. Grants are idempotent at the database level (D306 added a unique constraint on `(tenant, principal, action, resource, effect)`) — clicking "Share read access" twice in a row produces one grant, not two; the Access panel shows exactly the rows that exist, not phantom dupes.
What they can see:
- viewers see only the documents they're explicitly granted on, plus anything they created themselves - contributors and auditors follow the same rule but at higher tiers of action - owners and admins bypass per-document grants by role
Permission filtering happens at the index in Postgres, not after the fact in the application — so search results, dashboard counts, and the API all reflect the same trimmed view. Deny-rules always win over allow-rules — at both the document and collection levels. A per-doc deny will override a collection-level allow if you need to lock down a single sensitive doc inside an otherwise-shared matter.
Note on rule-driven collections: collection-level grants only inherit to **pinned** members. If a collection auto-includes documents via a rule (see /help/rule-driven-collections), the rule-derived members are not covered — pin explicitly when a doc should travel with collection access.