Fix tenant admin role and access problems

Diagnose and fix the most common reasons a tenant role or access change is not working: a role toggle that will not save, a change refused because it would set a platform-only role or the workspace is restricted, the last role you cannot remove, or a member who still cannot do what their new role allows.

Purpose

Find the visible reason a tenant role or access change is not working and the safe next step, so the right members get the access they need without you guessing at hidden settings.

Who this is for

Owners and admins whose attempt to change a member's role or access is not saving, is denied, or is not giving the member the access they expected.

Prerequisites

Steps

  1. Open Tenant Admin and find the member in the Users list by name or email.
  2. Check the roles already shown on that member, then turn the role you want on or off and wait for it to finish saving.
  3. If the change is refused, note that platform-only roles cannot be set from tenant admin and a restricted workspace blocks role changes.
  4. If you cannot remove a role, remember every member must keep at least one role, so add the new role before removing the old one.
  5. If the member still cannot do the task, confirm the saved roles match what that task needs, and review recent security events for context.
  6. If you expected to invite a new person or route a support request, note that those are not yet available and use the safe path instead.

Expected result

You can tell whether the problem is your own role, the tenant admin boundary, the last-role rule, or a member who simply needs a different role, and the member ends up with the access their work requires.

Verification

If something goes wrong

A role change will not save
Confirm you have an owner or workspace admin role and wait for any in-flight save to finish; a change is refused only when it would set a platform-only role, which is not editable here, or when the workspace is restricted.
You cannot remove a member's last role
Every member must keep at least one role; add the role they should have first, then remove the one they no longer need.
The member still lacks access after the change
Open the member again and confirm the saved roles match what the task needs, then review recent security events for context before retrying.

Permissions

Viewing members and changing their roles is available to workspace owners and admins equally; a change is refused only when it would set a platform-only role, which is never editable from tenant admin, or when the workspace is restricted.

Related articles

Support

If a role or access change still will not work after these steps, ask a workspace owner first. LumenReach support can help you sort out roles and the tenant admin boundary without seeing member passwords, credentials, or other private data.