Workspace roles and permissions
Bergur DavidsenUpdated 2026-07-14
Workspace roles answer a practical question: what may this person do in this workspace? Assign the least-privileged role that supports the person's responsibilities, then review it when those responsibilities change.
Roles are evaluated per workspace. A person's organization role, account-level status, or role in another workspace does not replace the current workspace's access checks.
Role overview
Owner
An Owner has full workspace control. Owners can manage content, settings, fragment types, members, invitations, integrations, and workspace lifecycle actions such as deletion where available.
Keep the number of Owners small. Use this role for people responsible for the workspace boundary and continuity, not merely frequent authors.
Collaborator
A Collaborator can create and maintain workspace content. Released permission checks also allow Collaborators to invite new members.
A Collaborator does not have the Owner's full authority to manage existing members, delete the workspace, or perform ownership-sensitive administration. This makes Collaborator the normal role for trusted maintainers.
Contributor
Contributor is an authoring role with less management authority than Collaborator. It is available as an invitation role where configured, but not every workspace screen or workflow exposes it.
When Contributor appears, use it for people who should add or improve content without managing workspace access. Check the controls shown by the current workspace rather than assuming Contributor includes invitation or settings permissions.
Viewer
A Viewer can read content in a workspace but should not expect to create, edit, delete, or administer it. Use Viewer when a private workspace must be available to a known person without granting authoring rights.
Subscriber
A Subscriber has read-style access obtained by subscribing to a public workspace. Subscription is not membership and does not grant content creation, file upload, settings, invitation, or auto-link management rights.
Subscribers can unsubscribe from the workspace detail page. Learn more in Public workspace subscriptions.
Capability guide
The released model can be summarized as follows:
- Manage content: Owners and Collaborators; Contributors only within the contribution capabilities exposed to them.
- Invite new workspace members: Owners and Collaborators.
- Manage existing members and roles: Owners.
- Manage workspace settings and lifecycle: Owners; some non-destructive content-related settings may also be exposed to Collaborators.
- Read private workspace content: Owners, Collaborators, Contributors, and Viewers according to their membership.
- Read a subscribed public workspace: Subscribers.
Specific actions can add narrower permission checks. For example, an integration token must carry the required token permission even when its creator has a sufficiently strong workspace role.
Roles do not override workspace boundaries
Access to one workspace does not imply access to another. Search, files, collections, fragments, and integrations remain scoped to the workspaces the caller can access.
Public visibility also does not turn every action into a public action. It enables discovery and subscription; authoring and administration still require membership with a suitable role.
Organization ownership does not eliminate workspace roles. An organization can own or place a workspace, while content operations continue to respect the workspace's access model.
Roles and personal access tokens
A personal access token cannot legitimately elevate its creator beyond their role. Token creation and editing cap selectable permissions to the maximum allowed by the creator's effective workspace role.
This creates two checks:
- the person must have sufficient access to the workspace;
- the token must include the permission required by the operation.
A broad role with a read-only token remains read-only through that token. A Viewer or Subscriber cannot create a write-capable token to bypass their role.
Choose a role
Ask what the person needs to do:
- Only read a public workspace: Subscriber.
- Read a private workspace: Viewer.
- Make limited contributions where supported: Contributor.
- Maintain content and invite contributors: Collaborator.
- Govern access, settings, and lifecycle: Owner.
Do not grant a stronger role in anticipation of work that may never happen. Increase access when a concrete responsibility requires it.
Review access regularly
- Remove people who no longer need the workspace.
- Reduce elevated roles after a project or handoff.
- Keep at least one active, accountable Owner.
- Review pending invitations as well as accepted members.
- Audit personal access tokens and application credentials separately.
- Verify public visibility before relying on Subscriber access.
Troubleshooting
A control is missing
The UI hides or disables actions that the effective role cannot perform. Confirm the role shown for the workspace and compare it with the required capability.
An API or MCP operation returns 403
Authentication succeeded, but either the workspace role or credential scope does not authorize the action. Check both layers. A 401 instead indicates missing or invalid authentication.
A public workspace is readable but not editable
That is expected for a Subscriber. Ask an Owner for a workspace membership only if authoring is appropriate.