- Getting started with Notion Enterprise
- Setting up user types
- Using teamspaces to organize information
- An Introduction to Workspace Settings
- Other Settings for Workspace Owners
- Managing Users in Notion
- User Authentication through SAML SSO
- User Provisioning
- User De-provisioning
- Managing your domain in Notion
- Customize workspace creation permissions
- View unmanaged workspaces
- Single member workspace actions
- Multi-member workspace action
- Data, Reporting, & Auditing
- Member List Export
- Workspace Exports
- Audit Log
- Content Search
- Data ownership
Getting started with Notion Enterprise
Getting started with Notion for Enterprise gives you access to more customizability and control over admin, security, provisioning, and more. There are plenty of features to explore within your company workspace, so it’s important to understand the scope of what’s available.
In this guide, we’ll discuss some of the most vital features available for Enterprise and a few best practices for building a clean, productive, and secure Notion workspace that meets your organization’s needs.
Setting up user types
There are four types of users on Notion Enterprise, all consisting of varying levels of permissions, so it’s important to organize users based on their intended usage:
Workspace owners have full access to all workspace settings and have elevated privileges, such as the ability to add new members. Every workspace must have at least one owner.
A Membership admin is an administrative role built specifically for Enterprise user management that allows Workspace owners to delegate membership responsibilities. Ensuring members have access to the right workspace and relevant groups is often managed by IT teammates, Product Ops, or other functional Chiefs of Staff.
Members are paid users and have full access to the workspace, including a personal section of the workspace. This is the default role when joining a workspace, and is a good role for most people at your company. All members are allowed to view, create, and share pages, and is a good way to maximize usage of Notion without granting additional administrative privileges.
Guests are free users, but are limited to the specific pages that they’ve been granted access to and do not have a personal section of the workspace. These users are intended for external collaborators and are not supported by SSO & SCIM.
Notion has plenty of flexibility when it comes to user type delegation. As our customers grow on Notion, it’s a best practice to limit the number of workspace owners that have full access to all workspace settings (such as Audit Log, Content Search, and Identity & Provisioning) to a smaller administrative team.
Using teamspaces to organize information
Teamspaces provide streamlined access to information by creating a dedicated area of your company’s workspace that can be customized to meet the requirements for a specific team or project.
Most organizations set up a company teamspace for all users, plus individual teamspaces for every department (like Product, Engineering, Marketing, Customer Success, etc.). Individual users can be added to specific teamspaces, limiting the information that is openly accessible.
To create a teamspace in Notion, you can click the
+ icon next to Teamspaces in the sidebar, or you can use the
New teamspace button located in Settings & members > Teamspaces.
Adding structure to teamspaces
To enforce a more structured workspace, you can limit teamspace creation to workspace owners only using the toggle under Settings & members > Teamspaces.
To learn more about how workspace owners can set up teamspaces, read our guide here.
Adding and Managing Teamspace Members
By default, workspace members won’t see new teamspaces, though it’s easy to add members to specific teamspaces. In Teamspace settings > Members, you can search existing workspace members or groups or add members manually via email.
Once a member is added to a teamspace, their role can be toggled between member or teamspace owner for additional privileges.
Each teamspace has its own settings (separate from workspace settings) so you can control more granular options for each area that you create.
For organizations focused on ensuring that information stays secure within their workspaces, check the following settings to make sure they align with your needs:
Disable public page sharing — dictates whether a page can be published to the web.
Disable guests — limits sharing of current teamspace to workspace members only.
Disable export — turns off the ability for users to export pages from this teamspace.
An Introduction to Workspace Settings
As a workspace owner, you can easily build out your organization’s Notion instance in a way that’s custom to your company. Settings & members is where you can control the finer details, like access and membership, permissions, plan and billing information, security, and more.
Before you start working in Notion, it’s important to understand what settings exist for your workspace and what they do. Let’s cover a few basics, then we’ll dive into specific sections in more detail later in this guide.
Settings (Workspace owners only)
This section is the starting point for many companies, as it’s where you set up a few of the most important basic settings that appear internally and externally.
Name — set the name of your company’s workspace. This is often just your company name (we set ours to read Notion), but can be customized to what fits best.
Icon — upload an image (usually your company logo) for your workspace.
Workspace Domain — create a personalized domain for your workspace. This domain is used for two reasons:
Pages shared to the web will be shared using this domain ([domain].notion.site)
Anyone with an allowed email domain can join the workspace using this domain (www.notion.so/[domain])
Allowed Email Domains — add your workspace’s allowed email domains. Any users with email addresses that belong to the domain(s) listed here can automatically join your workspace. For most organizations, this is their company email domain (i.e.,
acmeinc.com). To get started, there needs to be at least one confirmed member with the domain before it can be added.
For more information, continue on to the Allowed Email Domains section below.
Teamspaces (Workspace owners only)
General teamspace settings allow you to control settings that apply globally to your workspace.
Default teamspaces — choose the teamspaces that all new and current workspace members automatically join.
Limit teamspace creation — toggle this setting on to only allow workspace owners the ability to create teamspaces.
Manage all teamspaces — this section is where you can manage all teamspaces and their respective settings. See members, security settings, and access levels by teamspace.
Members (Workspace owners & Membership admins only)
Here is where Workspace owners and Membership admins can view and manage members, groups, and guests in the workspace.
Manage members and access — make sure all members in your workspace have the right level of access and that they are in the correct teamspaces.
Set up permissions groups — these allow you to easily manage page permissions and teamspace access in bulk, rather than on an individual member basis.
Managing permissions groups with an IdP
If you plan to leverage SCIM, we recommend creating and managing groups from your IdP to ensure they sync properly with Notion. Some SCIM applications may not support importing groups, meaning they won’t pull any groups created in Notion.
Monitor guest access — review any guests that currently have access to your company’s workspace, and revoke access if necessary.
Adding guests in Notion
Guests can only be added at the page level via the Share menu.
View and manage users who have recently left the workspace — view the log of members that left the workspace in the last 30 days. To prevent data loss, you can transfer ownership of those users’ private pages to another member (i.e., to their manager).
Manage workspace membership requests — members can request new people to be added into your workspace. Workspace owners and membership admins can approve or decline these requests here.
Adding members without an IdP
If you aren’t using an Identity Provider (IdP), this is where you can also manually add/remove members.
Billing (Workspace owners only)
Workspace plan and billing information can be found here to help manage all aspects of billing in Notion.
For customers on automated billing, you can update your plan and billing intervals (monthly vs annually) here
For customers on quarterly true-ups via the Sales team, please work with your dedicated Account Management team for any questions about your Enterprise license
Billing with Allowed Email Domains enabled
The cost for any members who have joined the workspace via Allowed Email Domains will be added to your Enterprise License.
Security (Workspace owners only)
Disable public page sharing — this will disable the
Share to weboption in the Share menu on every page in this workspace.
Disable guests — this prevents anyone from inviting people outside the workspace to any page.
Disable moving or duplicating pages to other workspaces — this prevents anyone from moving or duplicating pages to other workspaces via the
Disable export — this prevents anyone from exporting as Markdown, CSV, or PDF.
If you want the tightest lock down on your content, you can disable all of these options so the information in your workspace cannot be shared, downloaded, or moved out of the workspace.
Teamspace vs. Workplace security
Teamspace settings will be inherited from these workspace security settings. To override these settings for a teamspace, you need to be both a workspace owner and a teamspace owner.
Other Settings for Workspace Owners
Identity & provisioning
Verify your domain, manage workspaces that belong to your domain, and configure SAML SSO & SCIM in the
Identity & provisioning tab. For more information, continue to the Managing Users in Notion section below.
Filter and search the workspace content and manage permissions on pages as needed. For more information, continue to the Content Search section below.
With Notion’s API, you can connect other software tools to your workspace for even more functionality within your workspace. There are additional settings for managing these connections on the Enterprise plan so workspace owners can regulate who in the workspace can install them:
No restrictions — all workspace members can install connections in the workspace
Only from approved list — workspace members can only install connections that are pre-approved by a workspace owner
Provides an overview of a large range of events that have occurred in the workspace. For more information, continue to the Audit Log section below.
Managing Users in Notion
There are multiple ways to manage users in Notion depending on your organization’s preferences and needs.
User Authentication through SAML SSO
Notion’s SAML SSO is built upon the SAML 2.0 standard, connecting your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience. Notion supports official configurations for SAML SSO with: Azure, Google, Gusto, Okta, OneLogin, and Rippling.
To get started using SAML SSO with Notion, you will need to complete the following steps:
Verify domain(s) — to use advanced security features, you must verify ownership of your email domain. This is an automated process that involves adding a TXT record onto your domain’s DNS to verify your ownership of it.
Enable SAML SSO — this will toggle the feature on and complete the configuration. For more information on completing the SAML SSO configuration, please refer to our IDP-specific guides.
Change default login method — once SAML SSO is enabled for the first time, the default login method will be set to
Any method, meaning that users have the option of logging in via SAML or their normal login method. By setting this to
Only SAML SSO, this enforces SAML as the login method for your workspace.
Link additional workspaces (optional) — if you have more than one workspace you’d like to configure with SSO, you can do so by reaching out to firstname.lastname@example.org.
Once properly configured, any members signing into your workspace(s) will need to use the verified domain and will need to be authenticated through your identity provider. Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.
Guests are not supported through SAML SSO or SCIM.
While most of our Enterprise customers leverage an Identity Provider (IdP) to provision new users, there are many ways to add a new user account to your workspace:
Manually by Email
Workspace owners and Membership admins can add a new member to the workspace by email under Settings & members > Members.
Allowed Email Domains
Any users that login to Notion with your domain(s) listed in the Allowed Email Domains setting will be able to join the workspace as a member, and the additional cost will be added to your Enterprise License.
Allowed Email Domains and IdP
If you’re planning to manage the members that get added to your workspace strictly via your IdP, we recommend removing any domains listed in the Allowed Email Domains setting in Settings & members > Settings.
Just-in-time (JIT) Provisioning
Notion supports Just-in-Time provisioning when using SAML SSO. When Automatic account creation is enabled in Settings & members > Identity & provisioning, any user who logs into Notion for the first time via your SAML SSO connection will have a new member account generated using the name and e-mail on the SAML response.
Using JIT and SCIM
We don't recommend enabling Just-in-Time provisioning if you are using SCIM, as there could be a mismatch between membership in your IDP and in Notion.
Under Settings & members > Members, you’ll find an option to enable an invite link. Once enabled, you may share this link and anyone that visits it will be able to join your workspace automatically without the need for you to enter their email manually.
Notion has a SCIM API which can be used to provision, manage, and de-provision members and groups. Workspace owners can find the required API key by going to Settings & members > Security & identity > SCIMConfiguration and clicking to view the token.
Please see our SCIM documentation for the latest information on how you can interact with Notion’s SCIM API. Notion supports official SCIM applications with Azure, Google, Gusto, Okta, OneLogin, and Rippling.
Getting started with SCIM
Configure and enable SCIM provisioning prior to assigning members to the application to ensure provisioned user identifiers are captured correctly.
Details about SCIM applications
The Google SCIM application does not support Group provisioning and de-provisioning. For other IdPs without an official application, you can reference our SCIM API documentation to set up a custom SCIM integration.
When setting up SCIM for multiple workspaces, while you can have one IdP tenant for SSO setup, you will need a separate application for each workspace as the API keys for SCIM operate only at the workspace level.
When it’s necessary to de-provision a member, it’s important to remove them from a workspace and transfer their content to an existing member.
Manually in Members tab
Workspace owners and Membership admins can remove a user from the workspace under Settings & members > Members. Sessions for these users are immediately terminated and they can’t rejoin a workspace themselves and must be added back manually or via SCIM.
Automatically via SCIM
SAML SSO doesn’t include automatic de-provisioning of users by itself. For this use case, you must be using our SCIM API with your Identity Provider to send requests for de-provisioning.
Please see our SCIM documentation for the latest information on how you can interact with Notion’s SCIM API.
Transferring user content
When a member leaves a workspace, they will appear under Settings & members > Members in the Recently Left tab. From here, you can transfer their private pages to another user.
These pages will be packaged under one document now located under the newly selected member’s Private section in the left sidebar.
Managing your domain in Notion
In addition to being a prerequisite to configure SAML SSO on Notion, once you’ve verified a domain, you can regulate and manage workspaces that belong to your verified domain(s). To do so, click
Browse workspaces under Settings & members > Identity & provisioning > Domain Management.
To help mitigate concerns and confusion for future users, after a domain is verified, every time a new workspace is created using the verified domain, an email notification will be sent to the respective workspace owner alerting them that their workspace is eligible for domain management.
Initially verifying your domain
When you first verify a domain, there’s a 14-day notification period to inform all users that belong to that domain that their workspace(s) are eligible for domain management actions by their Enterprise workspace owners. During this period, you will not be able to act on any of the workspaces in the domain management view.
Customize workspace creation permissions
To help regulate the workspaces created using your verified domain, you can customize the permissions for who can create workspaces under Identity & provisioning > Domain management > Workspace creation and select Only workspace owners.
This setting only applies to workspace owners from the primary domain-verified workspace.
View unmanaged workspaces
Browse workspaces button to view all of the Notion workspaces that belong to your verified domain. There will be a tab for single member and multi-member workspaces. The following information will be provided in the view for each workspace:
Number of members
The actions available will show on the far right side.
Single member workspace actions
In the single member tab in the workspace view, you will see all the personal workspaces that have been created using your verified domain.
Require account ownership change
For some customers to meet compliance requirements, they don’t want any work projects being stored in single member (personal) workspaces. In the workspace view, you will see the option to
Require account change next to each single member workspace. This will require that the owner of the single member workspace provide a non-corporate email address for the user account before they can access the workspace again. This is a great option for employees that may have created a single member workspace with their company email, but mostly have non-work projects they’d like to keep for personal use . As a best practice, we recommend working with the respective workspace owners and to move any work related pages to a sanctioned Enterprise workspace prior to requiring the account owner change.
To help clean up stale single member workspaces that were owned by a former employee, you can delete the workspace from the workspace view under Domain Management.
When you delete a workspace, an email notification will be sent to the respective workspace owner informing them of this and providing your email address as the contact for any questions. Users will have the option for a one-time-only extension on the deletion period for an additional 30 days.
Domain management support
Notion’s support team cannot override any domain management actions by Enterprise workspace owners. If a user reaches out to Notion with questions, we will provide the email of the Enterprise workspace owner so the user can reach out directly.
Restore deleted workspaces
If needed, the workspace can be restored by the Enterprise workspace owner in the domain management view within 30 days.
The following content can not be recovered:
Configured integrations (Bots)
Domains (custom Notion domains)
If the single member workspace is associated with a current employee, we advise caution before deleting the workspace in case it would be better to
Require account change to a non-corporate email address and preserve the workspace settings.
Multi-member workspace action
In the multi-member tab in the workspace view, you will see all the Plus and Business plan workspaces that are eligible to claim:
Workspace was created using your verified domain
Has at least one workspace owner (could be the creator or another workspace owner) still in the workspace that belongs to your verified domain
Not on the Enterprise plan
To help establish governance over authorized workspaces, you can claim ownership of eligible workspaces and upgrade them to the Enterprise plan. When the claim has been successfully processed:
Invoice will be sent to the billing contact provided for the Enterprise upgrade
Workspace owner that claimed the workspace will become the only workspace owner
Previous workspace owners are downgraded to members (workspace owners can re-assign roles and permissions as necessary)
Other than the new primary workspace owner, there will be no noticeable difference for the workspace members.
Reminder to assign Membership Admins on claimed workspaces as needed to manage members and groups.
Data, Reporting, & Auditing
Enterprise workspace owners have access to additional data and reporting for greater insights into content and overall workspace usage. Whether you’re looking to export information, track and audit events, or search existing content, there are options available to help you do so.
Below are the most commonly used data and reporting features currently in Notion:
Member List Export
Enterprise workspace owners can export a list of all members under Settings & members > Settings > Export Members as CSV. This CSV export will contain a list of all members in the workspace, including their name, email address, role, what groups they belong to, and their unique Notion user ID.
To help with legal and compliance backups, Enterprise workspace owners can export the workspace in multiple file formats, including CSV, Markdown & PDF. Go to Setting & members > Settings > Export all workspace content. An email from Notion will be sent with a link to download the file(s). The link will expire after 7 days.
Enterprise workspace owners have access to an Audit Log (under Settings & members) which gives an overview of a large range of events that have occurred in the workspace. This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access.
You can drill down using the filter options and export all Audit Log events as a CSV file for a given date range for additional analyses.
Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues:
View who has access to a page
Modify the permissions of a page
Discover and re-assign abandoned pages from former employees (including private pages)
Details of the audit log
All actions taken in the Content Search are recorded in the Audit Log.
Within Content Search, you can search for a page by its
ID. Alternatively, if you don’t know a page’s title or ID, you can use the built-in filters to narrow your results. In addition to the sharing settings (Private, Shared Internally, Shared Externally, Shared to the Web), you can also see:
Page creator and creation date
Last edited by and edited date
With whom the page was shared
Page location (i.e., teamspace)
For our customers with stricter regulations around content shared externally, you can filter to see all pages shared externally (with guest access) and pages shared to the web. This provides a comprehensive birds-eye-view of all pages so workspace owners can govern their workspaces more effectively.
Limiting content search permissions
Make sure only the necessary people are assigned as workspace owners, since they have these elevated permissions and visibility into the workspace content.
As a workspace owner, there may be some cases where help is needed with page permissions on a restricted page or a page that’s been shared inappropriately. For these cases, in the page view under Content Search, you will see the option to Change permissions in the ... menu to the right of each page.
All content on a Notion Enterprise workspace is owned by your company. You can share this article with your employees if they have questions about what data is accessible to Enterprise workspace owners when using a verified domain on Notion.
Something we didn't cover?