# Solutions Engineering Access

## What this is

Solutions Engineering (SE) access allows Protege AI staff to view or edit your Hookshot™ workspace configuration for support, debugging, and setup assistance. It is a controlled overlay that does not create a normal workspace membership.

## When to use it

Use this page when you need to:

* Grant Protege AI support staff access to your workspace
* Review or revoke an existing SE access grant
* Understand what SE users can and cannot do

## What you need first

* Workspace owner or admin role
* A request from Protege AI support (<support@tryprotege.com>) identifying the access level needed

## Steps

### 1. Open SE Access settings

Go to **Settings** and find the **Solutions Engineer Access** section.

This section is visible only to workspace owners and admins.

### 2. Choose the access level

| Level     | What it allows                                                                      |
| --------- | ----------------------------------------------------------------------------------- |
| **Read**  | View workspace configuration, teams, people, Protege setup, and integrations        |
| **Write** | Edit workspace configuration, manage teams, configure Proteges, and modify settings |

Read access is appropriate for diagnostic sessions. Write access is appropriate when Protege AI staff need to adjust configuration on your behalf.

### 3. Choose the duration

| Duration     | Behavior                              |
| ------------ | ------------------------------------- |
| **7 days**   | Access expires after 7 days           |
| **30 days**  | Access expires after 30 days          |
| **90 days**  | Access expires after 90 days          |
| **Standing** | Remains active until manually revoked |

Use the shortest duration that covers the support need. Standing access should be reserved for ongoing partnerships.

### 4. Enable access

Select the level and duration, then choose **Enable**. The grant becomes active immediately.

### 5. Review active grants

The SE Access section shows:

* The current access level
* The grant mode (temporary or standing)
* When the grant was activated
* When it will expire (if temporary)

### 6. Revoke access

If you want to end access before the expiry date, choose **Revoke**. The grant status changes immediately and the SE user loses access on their next session.

## What SE users can see

* **Read access**: Workspace settings, teams and people, Protege configurations, integration connections, Event Feed, and Audit
* **Write access**: Everything from read access, plus the ability to edit workspace settings, manage teams and people, create and edit Proteges, and configure integrations

## What SE users cannot do

* Manage billing, plans, or payment methods
* Grant or modify their own SE access
* Access workspaces where no SE grant exists
* Bypass the access level they were granted (read-only users cannot edit)

## SE overlay behavior

When an SE user has active access, they:

* Can see all teams in the workspace, not just one team
* Do not appear as a workspace member in the People list
* Do not receive workspace notifications or emails
* Are not counted against your seat limit

{% hint style="info" %}
SE access is a support overlay, not a membership. SE users are Protege AI staff who enter your workspace for a defined period and purpose. They do not become workspace members.
{% endhint %}

## Sandbox and environment access

SE access is granted **per workspace**. If your workspace is linked to a sandbox environment, granting SE access to the production workspace does **not** automatically grant access to the sandbox — and vice versa.

To give an SE user access to both environments:

1. Grant SE access in the **production** workspace's Settings page
2. Switch to the **sandbox** workspace (using the workspace picker in the sidebar)
3. Grant SE access in the **sandbox** workspace's Settings page

Each environment's SE access is independently controlled. You can choose different access levels or durations for each. For example, you might grant standing write access to the sandbox for ongoing configuration work, but only temporary read access to production for a specific diagnostic session.

When an SE user has active access to both environments, the sidebar workspace picker shows both the production and sandbox workspaces. The sandbox entry is labeled with **Sandbox** so you can tell the environments apart at a glance.

{% hint style="info" %}
SE access in a sandbox workspace is subject to the same sandbox restrictions as regular membership — team and people administration is inherited from the production workspace and cannot be changed independently.
{% endhint %}

See [Environments and Sandbox](/workspace-settings/environments-and-sandbox.md) for more on how production and sandbox workspaces are linked.

## When access expires

Temporary grants automatically expire at the end of their duration. When a grant expires:

* The SE user can no longer access the workspace
* No data is removed or changed
* The grant record remains visible in the SE Access section for audit purposes

## How to verify

* The SE Access section shows the correct level and duration
* The expiry date matches the duration you selected
* Revoking access immediately removes the SE user's ability to enter the workspace

## Common failures

* Granting write access when read access would suffice
* Choosing standing access when a temporary grant covers the need
* Forgetting to revoke access after a support engagement ends
* Confusing SE access with workspace membership
* Assuming SE access to the production workspace also grants access to the sandbox

## Next step

* [Environments and Sandbox](/workspace-settings/environments-and-sandbox.md)
* [Workspace Settings](/workspace-settings.md)
* [Security and Permissions](/workspace-settings/security-and-permissions.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.tryprotege.com/workspace-settings/solutions-engineering-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.