I. Intro

Availability: This feature is in beta.

Who can perform these steps: Primary administrators and administrators with permission auditing permissions.

When a member changes roles or leaves the organization, you may need to look up and change their permissions. You may also need to look up members' permissions due to changes to regulatory requirements or organizational structure.

The permission auditing feature allows you to look up members' Admin Console permissions; look up member's permissions relating to products such as Docs; and view a log of permission and role changes.

II. Steps

Look up administrator permissions

Go to the Feishu Admin Console and click Compliance > Permission Auditing > Real-time permissions.

Select the following conditions:

Business name (required): Choose Feishu Admin Console
Search by (required): Choose Roles
Subject type (required): Choose Members
Subject (optional): Enter a member's name or phone number to select a specific member
Role name (optional): Select a specific administrator role
Permissions (optional): Browse and select one type of permission

Click Search to view the query results. Click Details besides a member's name to view more information about their permissions.

Click Reset to clear the search conditions.

If you want to download search results as an XLSX file, click Export Data, optionally modify the file's name in the window, and click Export.

Search members' Docs and Workspace permissions

If you need to look up members' Docs, Shared folder, Workspace and Workspace page permissions, you can create a permission search task and download the results.

Click Compliance ＞ Permission Auditing ＞ Create Permission Query Task ＞ New Query Task.

Fill in the task's basic info and click Next.

Task name: Name the search task to help you find it later
Search subject type: Select Docs, Shared folder, Workspace, or Workspace page

When searching for shared folder or workspace permissions, click Next then choose either a fuzzy or precise search, and configure the search criteria.
When searching for doc or workspace page permissions, if you choose to search for permissions and collaborators according to each doc/workspace page, click Next, choose either a fuzzy or precise search, and configure the search criteria.
When searching for doc or workspace page permissions, if you choose to search for the permissions of a particular member or department, click Next to specify the member, department, or user group.

Fuzzy query

You can look up 100,000 documents or the information of 500,000 collaborators in a single search. If an organization has a large number of documents, administrators may need to narrow the range of their search or perform multiple searches.

Explanation	Docs	Shared folder	Workspace	Pages in a workspace
Title or keyword	✔	✔	✔	✔
Security level: The docs' secure label	✔	❌	❌	✔
Document type: You can select Docs, Sheets, Base, MindNotes, and Upload.	✔	❌	❌	✔
Document department: The department to which the owner of the document or folder belongs	✔	✔	❌	✔
Shared folder ID: If you want to look up documents in a specific shared folder, enter the folder's ID	✔	❌	❌	❌
Time created (required): The time the objects in the search task were created. Can be set as a range of up to 30 days.	✔	✔	✔	✔
Workspace ID: If you want to look up a specific workspace page, enter the workspace's ID, which can be obtained from the link on its settings page.	❌	❌	❌	✔ Note: If a workspace page has been moved to trash, its ID will change.
Workspace visible scope: Visible only to the workspace members or visible to everyone in the organization	❌	❌	✔	❌
Enable link sharing: Whether or not link sharing has been turned on	✔	✔	❌	✔
External sharing: Whether or not the Docs have been set to "allow content to be shared outside the organization"	✔	✔	✔	✔
Status: Normal, Trash, or Deleted	✔	✔	✔	✔
Permissions: The permissions of the search object	Owner Can manage Can edit Can view	Owner Can manage Can edit Can view	Can manage Can edit Can view	Owner Can manage the current page and its sub-pages Can edit the current page and its sub-pages Can view the current page and its sub-pages Can manage the current page Can edit the current page Can view the current page

Precise search

Enter the ID number of the doc, workspace, shared folder or workspace page. A maximum of 200 lines can be searched at a time.

Search by subject

Input the Subject type, which can be Member, Department or User group. Next, specify the Subject and the date range for the query.

View and export search task results

Recently created query tasks will appear in the task list. Click View details to see more information about the task.

Once the search task is completed, refresh the page. You'll then be able to download an XLSX file that includes the search results and details.

You can search for tasks support by categorizing one or more of the following criteria: task name, task creation time, task status, and type.

Check changes to members' permissions

This is used for looking up changes in organization members' Admin Console permissions.

In the Admin Console, click Compliance > Permission Auditing > Member permissions change log. Enter your selections for the following four conditions:

Service (required): Select Admin Console.
Target member (optional): Enter the name or mobile number of a member whose permissions were changed.
Operator (optional): This is the person who made the permission change. Enter a name or mobile number.
Time (required): Select a time range during which the permission was changed. The default is the past week.

Click Search to see the list of changes. Click Details to see further info.

You can export data about permission events. The exported XLSX file will contain the same info as is given in the details view.

Click Export data and click Download file in the tasks at the top of the page to export the search results as an XLSX file.

View changes to administrator roles

This is a log of changes to administrators' roles: including them being added or removed from a role, as well as changes to a role's permissions.

Click Compliance > Permission Auditing > Permission rules change log. Configure the following conditions:

Service (required): Select Admin Console.
Operator (optional): Who made the change.
Event type (optional): Select Add role, Edit role, or Delete role.
Time (optional): When the change was made. The default is the past week.

Click Export details and click Download file in the tasks at the top of the page to export the search results as an XLSX file so you can see what specific changes were made to the role.

See reminders about members' changing status

When there's a change to the organization's structure or when a member's status changes, a record will be automatically generated. This will show what permissions the member had, so you can quickly adjust your organization's permissions.

Click Compliance > Permission Auditing > Permission reminders for member status change. When a member's status changes, the permission changes for that member will be categorized as Pending, Processed, or Ignored based on whether their permissions need to be changed.

Note: Only members with administrator permissions will appear in this module.

Further filtering is available: enter the member's name or phone number, or select resignation or organizational structure change.

Under Pending and Ignored, click View Details to revoke the member's permissions one at a time or as a batch.

Permissions can be revoked only once, meaning permissions can be processed only once for each member undergoing a status change. Confirm the changes you want to make before taking action.

Note: You can only revoke Admin Console permissions.

Under Processed, click Details to see the permission revocation status for the member undergoing the status change.

III. FAQs

How can I find the IDs of docs and workspaces?

Docs' IDs: A primary administrator or an administrator with docs permissions can go to Docs > Files.

Workspaces' ID: Primary administrators or administrators with wiki permissions can go to Wiki > Workspaces.

How can I get the ID of a shared folder?

Please refer to Get Folder Meta.

How do I process the permissions of a departing member who isn't an administrator?

If the member who is leaving isn't an administrator and doesn't have Admin Console permissions, and the resources and data that need to be transferred are document permissions, event permissions, and so on, see How can administrators delete members or transfer resources for current members?