Client & party access control
Athenty exposes your work to external people through a small, deliberate set of rails. This page is the single reference for who can access what, the three controls that grant and revoke that access, and — most importantly — exactly what is torn down when you disable a party or close a matter.
Overview
Section titled “Overview”There are two external-access rails:
- Client portal — a client contact signs in by email one-time-password (OTP) and sees only the matters they are explicitly granted. Access is scoped per-matter, not per-organization.
- Participant / KYC portal — the lightweight rail an external party uses to complete identity verification (IDV) and KYC for a matter.
External parties also receive two kinds of one-off links that do not require a portal login:
- Document share links — a link to a single document.
- E-signature signing links — a link for a named signer to sign one envelope.
Everything below describes how those four surfaces are scoped, how long they last, and how they are revoked.
Access matrix
Section titled “Access matrix”| Surface | Who gets it | Scope | Default expiry | How it’s revoked | Cascades from |
|---|---|---|---|---|---|
| Client portal session | A client contact on a matter | Matter-scoped | 24h session TTL | Global disable, per-matter access off, or matter close | Global disable + per-matter toggle + matter close |
| Document share link | Any recipient | A single document | 7 days (hard cap 60) | Revoked individually, or by cascade | Global disable + per-matter access off + matter close |
| E-signature signing link | A named signer | One envelope | 30 days (hard cap 60) | Revoked per-signer, by whole-envelope cancel, or matter close | Global disable + per-matter access off + matter close |
The three controls
Section titled “The three controls”There are exactly three places to grant or revoke external access. Higher controls cascade down to lower ones.
1. Global disable (org-wide kill-switch)
Section titled “1. Global disable (org-wide kill-switch)”Settings ▸ Client Portal Users. Toggling a party off here turns them off org-wide — across every matter and both rails at once. This is the break-glass control for “this person should no longer be able to reach anything we hold.”
2. Per-matter access toggle
Section titled “2. Per-matter access toggle”Matter ▸ Participants tab. Grant or revoke a single client on a single matter. This is the everyday control: it does not touch the party’s access on any other matter.
3. Matter close
Section titled “3. Matter close”Closing a matter tears down all portal access for that matter. Closing can be hard (immediate teardown) or grace (teardown after a grace window, with an emailed removal date so the party knows when access ends).
Revocation cascade — “if I disable X, what dies”
Section titled “Revocation cascade — “if I disable X, what dies””This is the table to read before disabling anyone. Each control revokes a different blast radius.
| Control | Portal sessions | Document share links | E-sign signing links | Signed documents |
|---|---|---|---|---|
| Global disable | ALL the party’s sessions, both rails | ALL their share links, org-wide | ALL their unsigned signing links, org-wide | Untouched — signed PDFs are historical and are not deleted |
| Per-matter access OFF | That party’s sessions on that matter | That matter’s share links for that recipient | That party’s unsigned signing links on that matter only (other signers unaffected) | Untouched |
| Matter close | Portal access removed (hard = immediate, grace = after the window) | All the matter’s share links revoked | All the matter’s pending envelopes expired | Untouched |
How the cascade shows up in the controls
Section titled “How the cascade shows up in the controls”When a higher control revokes a share or signing link, the individual control reflects it. In Matter ▸ Drive ▸ Sharing the affected share shows a Revoked badge and its action becomes a greyed, locked button — you cannot turn it back on while the parent restriction holds. Hover the lock to see why it was revoked (for example, “Revoked — participant disabled for this matter”). The same applies to a signer’s signing-access control on the envelope detail page.
Lifting the parent restriction un-greys the control back to its prior state — it does not silently re-grant access. After you re-enable a party (per-matter or org-wide), you still re-share the document or re-add the signer explicitly. This keeps re-granting a deliberate act, never an accident of toggling a parent setting off and on.
Live backstop
Section titled “Live backstop”Revocation does not rely on catching every active session. Every validated request re-checks the party’s disabled / removed state live. If a session was somehow missed at revocation time, the party is denied on their very next request — there is no window where a stale token keeps working after the underlying access has been pulled.
Timeout settings & where to find them
Section titled “Timeout settings & where to find them”Expiry windows live in two places, by surface. Document share links are configured under Settings ▸ Matters ▸ Document Sharing; e-signature envelopes under Settings ▸ Envelopes ▸ Envelope Settings. Each setting has a sensible default and a hard ceiling that cannot be exceeded.
| Setting | Where | Default | Hard cap | Notes |
|---|---|---|---|---|
| Document share default expiry | Matters ▸ Document Sharing | 7 days | 60 days | Applied to new share links |
| E-signature default signing-link expiry | Envelopes ▸ Envelope Settings | 30 days | 60 days | Applied to new envelopes |
| Signed-document re-download window | Envelopes ▸ Envelope Settings | 7 days | — | After this window, re-download requires a staff re-share |
| Portal session TTL | — | 24h | — | Fixed — not configurable |
Per-signer envelope revocation
Section titled “Per-signer envelope revocation”Staff can revoke a single signer’s signing link without canceling the whole envelope. This is the right tool when one party on a multi-signer envelope is disabled or removed but the remaining signers should keep going — their links stay valid and the envelope continues collecting signatures.
Canceling the whole envelope (the bulk Cancel action on the Envelopes list) revokes access for every recipient at once.
Audit actions
Section titled “Audit actions”Every access change emits a named audit action so the full revocation history is reconstructable. The actions you will see:
| Action | Emitted when |
|---|---|
CLIENT_PORTAL_USER_DISABLED | A party is turned off org-wide (global disable) |
CLIENT_PORTAL_USER_ENABLED | A party is re-enabled org-wide |
CLIENT_PORTAL_ACCESS_REVOKED | Per-matter access is turned off for a party |
CLIENT_PORTAL_ACCESS_GRANTED | Per-matter access is turned on for a party |
envelope.signer_revoked | A single signer’s signing link is revoked |
envelope.expired | An envelope passes its expiry window (incl. matter-close expiry) |
document share revoked disclosure events | A document share link is revoked, individually or by cascade |
matter.portal_access.closed | Matter close tears down portal access for the matter |
Related pages
Section titled “Related pages”- Participants — the cross-matter directory of every external party
- Envelopes — e-signature envelope list, with per-signer and whole-envelope cancel
- Settings ▸ Client Portal Users — the global enable/disable kill-switch
- Matters — the per-matter Participants tab is where per-matter access is toggled