Skip to main content

Workspace Membership

Concepts

Account Membership is a Prerequisite

A user must be an account member before they can be added to any workspace within that account. Workspace membership is a narrower layer of access on top of account membership — it controls what a user can do inside a specific workspace.

Removing someone from a workspace does not remove them from the account.

Workspace Roles

Workspace roles determine what a user can access within the workspace's applications. A member can hold multiple workspace roles at once:

Current limitation — Roles are account-scoped today

Workspace roles are the intended end state, but currently these roles are enforced at the account level — meaning they apply uniformly across all workspaces a user can access. Per-workspace role scoping is planned. See Account Membership for the current behaviour.

RoleDescription
Platform AdminFull administrative access to all workspace applications
Data EngineerAccess to data pipeline and engineering tools
ML EngineerAccess to machine learning features and model management
Data AnalystAccess to SQL, dashboards, and analytics tools
Business UserRead-only access to reports and dashboards
Data StewardAccess to data catalog and governance features
Role assignments propagate to Ranger

Workspace roles are mirrored into Apache Ranger by the Keycloak → Ranger role sync. A user assigned data_analyst will be added to the kc_realm_data_analyst Ranger role and inherit any data access policies granted to that role. The sync interval defaults to every 15 minutes and is configurable per workspace via the Ranger bundle input ranger_role_sync_cron_schedule.

See Keycloak → Ranger Role Sync for details.

Assigning vs. Inviting

Workspace membership works differently from account membership:

  • Account membership — done via an email invitation to someone outside the platform
  • Workspace membership — done by selecting from existing account members; no new invitation is sent

If a person does not yet have an account, they must be invited to the account first, before they can be added to any workspace.


Current UI — Managing Workspace Members

This section describes the current interface. It will be updated when the new Oqullus UI launches.

Assigning a Member to a Workspace

Requires: Account Owner or Admin role

  1. Open the workspace from My Workspaces in the sidebar.
  2. Click the Members tab.
  3. Click Assign Member.
  4. Search for the account member by email and select them.
  5. Check one or more Workspace Roles.
  6. Click Assign.

Updating a Workspace Member's Roles

Requires: Account Owner or Admin role

  1. Go to the workspace → Members tab.
  2. Click the pencil icon on the member's row.
  3. Check or uncheck roles as needed. At least one role must remain selected.
  4. Click Save.

Removing a Member from a Workspace

Requires: Account Owner or Admin role

  1. Go to the workspace → Members tab.
  2. Click the trash icon on the member's row.
  3. Confirm by clicking Remove.

The member loses workspace access immediately.