Role-based Access Control in Workspaces
About role-based access
The role-based access control is a permission model used to manage access to workspace resources based on a number of predefined user roles. Assigning a role to a user grants them permissions to use specific features of the workspace and manage files.
Currently, workspaces support the following user roles: Standard User, Workspace Administrator, Manager, Contributor, and Tenant Administrator. It should be noted that roles are assigned on a workspace basis, meaning a user can have a Contributor role in one workspace and be a Workspace Administrator of the other.
Newly signed-up users do not have access to any of the workspaces. Workspace Administrators, Managers or Tenant Administrators can invite users to a workspace and assign them a role, thus giving them the permissions to perform certain operations within a workspace. This way administrators can ensure that the principle of least privilege is followed.
Summary of the roles
- Standard Users can use most of the functionality of the workspace but they do not have the permissions to manage workspace access.
- Workspace Administrators have the same privileges as Standard Users but additionally, they are also responsible for workspace user management. Workspace Administrators can invite new members to a workspace, and assign appropriate user roles.
- Managers have the all the same privileges as Workspace Administrators but one: they cannot approve or reject Airlock requests.
- Contributors have no access to the workspace via the UI. Workspace Contributors can only Airlock files to the workspace they are a Contributor of.
- Tenant Administrators are responsible for the creation and deletion of workspaces, as well as inviting members to a workspace, assigning them user roles, and appointing an owner for each workspace.
Further details on each user role can be found below and in the relevant knowledge base articles in this section.
Role-based privileges
| Administrator | Manager | Standard User | Contributor | Tenant Administrator | |
|---|---|---|---|---|---|
| Create and delete files | ✅ | ✅ | ✅ | ❌ | ❌ |
| Access and edit database tables | ✅ | ✅ | ✅ | ❌ | ❌ |
| Workspace-to-workspace Airlock | ✅ | ✅ | ✅ | ✅ | ❌ |
| Approve or reject data export requests | ✅ | ❌ | ❌ | ❌ | ❌ |
| Use R console | ✅ | ✅ | ✅ | ❌ | ❌ |
| Publish, run and delete Shiny-apps | ✅ | ✅ | ✅ | ❌ | ❌ |
| Use Virtual Machine | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create, edit and delete notes and insights | ✅ | ✅ | ✅ | ❌ | ❌ |
| View list of workspaces that they have been granted access to | ✅ | ✅ | ✅ | ❌ | ❌ |
| Access workspace audit | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage workspace access | ✅ | ✅ | ❌ | ❌ | ✅ |
| Edit workspace description | ✅ | ✅ | ❌ | ❌ | ✅ |
| Add or delete workspaces | ❌ | ❌ | ❌ | ❌ | ✅ |