Process Mapper
Sign Up

Domain Restrictions

Restrict team invitations to specific email domains — prevent accidental external access and enforce corporate email policies.

Domain restrictions let team owners control which email addresses can be invited to their workspace. When configured, only users with email addresses matching your allowed domains can receive invitations.

Domain restriction flow showing validation, approval, and blocking

Why Use Domain Restrictions?

  • Prevent accidental access — Block invitations to personal email addresses (gmail.com, yahoo.com, etc.)
  • Enforce corporate policies — Ensure only employees with your company email can join
  • Multi-domain support — Allow multiple corporate domains (e.g., acme.com and acme-corp.com)
  • Subsidiary management — Include domains for partner companies or subsidiaries that need access

How It Works

When domain restrictions are configured, every team invitation is validated before it's sent:

  1. The invitee's email domain is extracted (e.g., "acme.com" from "alice@acme.com")
  2. The domain is checked against your allowed domains list
  3. If the domain matches, the invitation proceeds normally
  4. If the domain doesn't match, the invitation is blocked with an error message

No restrictions configured? All email domains are allowed by default. Domain restrictions are opt-in.

Setting Up Domain Restrictions

  1. Navigate to your workspace Settings page
  2. Find the Allowed Email Domains section
  3. Enter each allowed domain (e.g., "acme.com") and press Enter to add it
  4. Click Save to apply

Domain Format

  • Enter just the domain, not the full email address: acme.com (not @acme.com)
  • Domains are case-insensitive: Acme.com and acme.com are treated the same
  • You can add as many domains as needed

Two Layers of Protection

Domain restrictions operate at two levels:

LayerConfigured ByPurpose
Organization levelTeam ownersSelf-service domain management for your workspace
Platform levelPlatform administratorsGlobal domain policies enforced across specific organizations

When both layers are configured, the most restrictive combination applies. A domain must be allowed by both layers for an invitation to succeed.

Example

If your organization allows acme.com and partner.com, but the platform admin only allows acme.com:

  • alice@acme.com — Allowed (in both lists)
  • bob@partner.com — Blocked (not in platform admin list)

Common Configurations

Single Corporate Domain

Allow only your primary company domain:

  • acme.com

Multiple Office Domains

Allow your main domain plus regional offices:

  • acme.com
  • acme.co.uk
  • acme.in

Including Consultants

Allow your domain plus a trusted consulting partner:

  • acme.com
  • trusted-consultants.com

Removing Restrictions

To go back to allowing all email domains:

  1. Navigate to workspace Settings
  2. Remove all domains from the Allowed Email Domains list
  3. Click Save

When the list is empty, all email domains are permitted again.

Frequently Asked Questions

Does this affect existing team members? No. Domain restrictions only apply to new invitations. Existing members are not affected even if their domain is later removed from the allowed list.

What happens to pending invitations? Pending invitations that were sent before restrictions were configured will still be valid. New restrictions only apply to invitations sent after the change.

Can I restrict to a single email address? Domain restrictions work at the domain level, not individual email addresses. For single-user access control, manage invitations directly through the team members page.