Role-based Access Control in Workspaces

About role-based access

The role-based access control is a permission model used to manage access to workspace resources based on a number of predefined user roles. Assigning a role to a user grants them permissions to use specific features of the workspace and manage files.

Currently, workspaces support the following user roles: Standard User, Workspace Administrator, Manager, Contributor, and Tenant Administrator. It should be noted that roles are assigned on a workspace basis, meaning a user can have a Contributor role in one workspace and be a Workspace Administrator of the other.

Newly signed-up users do not have access to any of the workspaces. Workspace Administrators, Managers or Tenant Administrators can invite users to a workspace and assign them a role, thus giving them the permissions to perform certain operations within a workspace. This way administrators can ensure that the principle of least privilege is followed.

Summary of the roles

  • Standard Users can use most of the functionality of the workspace but they do not have the permissions to manage workspace access.
  • Workspace Administrators have the same privileges as Standard Users but additionally, they are also responsible for workspace user management. Workspace Administrators can invite new members to a workspace, and assign appropriate user roles.
  • Managers have the all the same privileges as Workspace Administrators but one: they cannot approve or reject Airlock requests.
  • Contributors have no access to the workspace via the UI. Workspace Contributors can only Airlock files to the workspace they are a Contributor of.
  • Tenant Administrators are responsible for the creation and deletion of workspaces, as well as inviting members to a workspace, assigning them user roles, and appointing an owner for each workspace.

Further details on each user role can be found below and in the relevant knowledge base articles in this section.

Role-based privileges

 AdministratorManagerStandard UserContributorTenant Administrator
Create and delete files
Access and edit database tables
Workspace-to-workspace Airlock
Approve or reject data export requests
Use R console
Publish, run and delete Shiny-apps
Use Virtual Machine
Create, edit and delete notes and insights
View list of workspaces that they have been granted access to
Access workspace audit
Manage workspace access
Edit workspace description
Add or delete workspaces
Updated on October 16, 2023

Was this article helpful?