How to limit a user's access to a single workspace
Last updated
Was this helpful?
Last updated
Was this helpful?
If your organization has multiple , you may want to limit a user's access to a specific workspace that's relevant to their role, while preventing them from accessing the other workspaces in your .
For example, let's say that you have separate workspaces set up for 'Sales', 'Marketing', and 'Support'. A new marketer joins your company, and you want to give them access to the 'Marketing' workspace so that they can set up and send marketing campaigns, but prevent them from reading customer's messages in the 'Support' workspace.
In this situation, you can set up and assign custom access permissions that allow them to access and edit a single workspace by following the steps outlined in this guide.
Your
The you want to limit a user's access to
In the top left-hand corner, click your organization's logo, then click Organization settings.
Click Access Policies.
Click Create custom policy.
In the 'Policy name' and 'Policy description' fields, enter a name and description for this policy.
Now, let's set up the first policy definition. For this definition, you'll need to have your workspace ID on hand.
In the 'Definition' section, set the 'Effect' to 'Allow'.
Set the 'Action' to 'Any'.
Click Add resource.
Now, let's add a second policy definition. Click Add definition.
In the 'Definition' section, set the 'Effect' to 'Allow'.
Set the 'Action' to 'View'.
Now, let's set up the second policy definition. For this definition, you'll need to have your Organization ID on hand. This time, we'll be adding six resources.
In the 'Resource' field, enter the following text: /organizations/{orgId}. Remember to replace {orgId} with your organization ID.
Click Add resource and repeat the process, adding the following text to each new 'Resource' field. Always remember to replace {orgId} with your organization ID, and {worksapceId} with your workspace ID as required.
/organizations/{orgId}/workspaces
/organizations/{orgId}/workspaces/*
/organizations/{orgId}/workspaces/{worksapceId}
/organizations/{orgId}/configurations/groups/*/keys/*
/organizations/{orgId}/iam-roles
Once you've added the six resources, click Create policy.
Now that you've set up your custom policy, it's time to assign it to a custom role.
In the top left-hand corner, click your organization's logo, then click Organization settings.
Click Access Roles.
Click Create new role.
In the 'Role name' and 'Role description' fields, enter a name and description for this policy.
Now, let's attach the custom policy that you created in step one.
In the 'Policy' section, set the 'Type' to 'Organization'.
Click Create new role.
Your custom role is now ready to be assigned to a user.
In the top left-hand corner, click your organization's logo, then click Organization settings.
Click Users.
Find the user that you want to assign the custom role to.
Click the three dots on the right-hand side, then click Edit user.
Click Update roles.
You've successfully limited a user's access to a single workspace!
If you want to grant a user view-only to additional workspaces, but prevent them from being able to edit or perform tasks in those workspaces, follow the steps outlined in this guide.
In the top left-hand corner, click your organization's logo, then click Organization settings.
Click Access Policies.
Select the custom access policy that you want to add workspace view-only permissions to.
Now, let's set up the first policy definition. You'll need to have your workspace ID on hand.
Click Add definition.
Set the 'Effect' to 'Allow'.
Set the 'Action' to 'View'.
In the 'Resource' field, enter the following text: /workspaces/{workspaceID}. Remember to replace {workspaceID} with the ID of the workspace you are granting view-only access to.
Click Add resource, and repeat the process, adding the following text to each new 'Resource' field, and always remembering to replace {workspaceID} with your organization ID:
/workspaces/{workspaceID}/**
/workspaces/{workspaceID}/insights
/workspaces/{workspaceID}/insights/*
Now, let's set up the second policy definition. You'll need to have your workspace ID on hand.
Click Add definition.
Set the 'Effect' to 'Allow'.
Set the 'Action' to 'Create'.
In the 'Resource' field, enter the following text: /workspaces/{workspaceID}/insights. Remember to replace {workspaceID} with the ID of the workspace you are granting view-only access to.
Click Add resource, and repeat the process, adding the following text to each new 'Resource' field, and always remembering to replace {workspaceID} with your organization ID:
/workspaces/{workspaceID}/insights/*
/workspaces/{workspaceID}/insights/reporting/insights-ql
When you're done, click Create policy.
You've just added view-only workspace access to your custom access policy. Any custom access roles that contain this policy will be updated automatically. Any users who are assigned that custom policy will now be able to view additional workspaces.
In the 'Resource' field, enter the following text: /workspaces/{workspaceID}/**. Remember to replace {workspaceID} with you are limiting the user's access to.
In the new 'Resource' field, enter the following text: /workspaces/{workspaceID}. Remember to replace {workspaceID} with you are limiting the user's access to.
Set the 'Policy' to the policy you created in .
In the 'Roles' section, select the custom role you created in .
Make sure you've followed all of the steps to before you start.
An existing
The you want to grant view access to
To allow view-only access to more workspaces, continue to add policy definitions to this custom access policy. Remember to add both the and the for each workspace.