How to limit a user's access to a single workspace

If your organization has multiple workspaces, you may want to limit a user's access to a specific workspace that's relevant to their role, while preventing them from accessing the other workspaces in your organization.

Example

For example, let's say that you have separate workspaces set up for 'Sales', 'Marketing', and 'Support'. A new marketer joins your company, and you want to give them access to the 'Marketing' workspace so that they can set up and send marketing campaigns, but prevent them from reading customer's messages in the 'Support' workspace.

In this situation, you can set up and assign custom access permissions that allow them to access and edit a single workspace by following the steps outlined in this guide.

Limit a user's access to a single workspace

What you'll need

Step one: Create a custom policy

  1. In the top left-hand corner, click your organization's logo, then click Organization settings.

  2. Click Access Policies.

  3. Click Create custom policy.

  4. In the 'Policy name' and 'Policy description' fields, enter a name and description for this policy.

Policy naming: When naming your custom policy, we recommend that you add the name of the user and the workspace you are limiting their access to. This will make the policy easier to identify in the future.

Set up the workspace-level policy definition

Now, let's set up the first policy definition. For this definition, you'll need to have your workspace ID on hand.

  1. In the 'Definition' section, set the 'Effect' to 'Allow'.

  2. Set the 'Action' to 'Any'.

  3. In the 'Resource' field, enter the following text: /workspaces/{workspaceID}/**. Remember to replace {workspaceID} with the ID of the workspace you are limiting the user's access to.

  4. Click Add resource.

  5. In the new 'Resource' field, enter the following text: /workspaces/{workspaceID}. Remember to replace {workspaceID} with the ID of the workspace you are limiting the user's access to.

  6. Now, let's add a second policy definition. Click Add definition.

  7. In the 'Definition' section, set the 'Effect' to 'Allow'.

  8. Set the 'Action' to 'View'.

Set up the organization-level policy definition

Now, let's set up the second policy definition. For this definition, you'll need to have your Organization ID on hand. This time, we'll be adding six resources.

  1. In the 'Resource' field, enter the following text: /organizations/{orgId}. Remember to replace {orgId} with your organization ID.

  2. Click Add resource and repeat the process, adding the following text to each new 'Resource' field. Always remember to replace {orgId} with your organization ID, and {worksapceId} with your workspace ID as required.

    1. /organizations/{orgId}/workspaces

    2. /organizations/{orgId}/workspaces/*

    3. /organizations/{orgId}/workspaces/{worksapceId}

    4. /organizations/{orgId}/configurations/groups/*/keys/*

    5. /organizations/{orgId}/iam-roles

  3. Once you've added the six resources, click Create policy.

Step two: Create a custom role

Now that you've set up your custom policy, it's time to assign it to a custom role.

  1. In the top left-hand corner, click your organization's logo, then click Organization settings.

  2. Click Access Roles.

  3. Click Create new role.

  4. In the 'Role name' and 'Role description' fields, enter a name and description for this policy.

Role naming: When naming your custom role, we recommend that you add the name of the user and the workspace you are limiting their access to. This will make the role easier to identify in the future.

Attach a policy

Now, let's attach the custom policy that you created in step one.

  1. In the 'Policy' section, set the 'Type' to 'Organization'.

  2. Set the 'Policy' to the policy you created in step one.

  3. Click Create new role.

Step three: Assign the custom role to a user

Your custom role is now ready to be assigned to a user.

  1. In the top left-hand corner, click your organization's logo, then click Organization settings.

  2. Click Users.

  3. Find the user that you want to assign the custom role to.

  4. Click the three dots on the right-hand side, then click Edit user.

  5. In the 'Roles' section, select the custom role you created in step two.

  6. Click Update roles.

You've successfully limited a user's access to a single workspace!

Allow a user view-only access to additional workspaces

If you want to grant a user view-only to additional workspaces, but prevent them from being able to edit or perform tasks in those workspaces, follow the steps outlined in this guide.

Make sure you've followed all of the steps to limit a user's access to a single workspace before you start.

What you'll need

Step-by-step

  1. In the top left-hand corner, click your organization's logo, then click Organization settings.

  2. Click Access Policies.

  3. Select the custom access policy that you want to add workspace view-only permissions to.

Set up the allow view policy definition

Now, let's set up the first policy definition. You'll need to have your workspace ID on hand.

  1. Click Add definition.

  2. Set the 'Effect' to 'Allow'.

  3. Set the 'Action' to 'View'.

  4. In the 'Resource' field, enter the following text: /workspaces/{workspaceID}. Remember to replace {workspaceID} with the ID of the workspace you are granting view-only access to.

  5. Click Add resource, and repeat the process, adding the following text to each new 'Resource' field, and always remembering to replace {workspaceID} with your organization ID:

    1. /workspaces/{workspaceID}/**

    2. /workspaces/{workspaceID}/insights

    3. /workspaces/{workspaceID}/insights/*

Set up the allow create policy definition

Now, let's set up the second policy definition. You'll need to have your workspace ID on hand.

  1. Click Add definition.

  2. Set the 'Effect' to 'Allow'.

  3. Set the 'Action' to 'Create'.

  4. In the 'Resource' field, enter the following text: /workspaces/{workspaceID}/insights. Remember to replace {workspaceID} with the ID of the workspace you are granting view-only access to.

  5. Click Add resource, and repeat the process, adding the following text to each new 'Resource' field, and always remembering to replace {workspaceID} with your organization ID:

    1. /workspaces/{workspaceID}/insights/*

    2. /workspaces/{workspaceID}/insights/reporting/insights-ql

  6. When you're done, click Create policy.

To allow view-only access to more workspaces, continue to add policy definitions to this custom access policy. Remember to add both the allow view definition and the allow create definition for each workspace.

You've just added view-only workspace access to your custom access policy. Any custom access roles that contain this policy will be updated automatically. Any users who are assigned that custom policy will now be able to view additional workspaces.

Last updated

#490: Add Entra ID SCIM settings

Change request updated