Workspace Membership
Concepts
Account Membership is a Prerequisite
A user must be an account member before they can be added to any workspace within that account. Workspace membership is a narrower layer of access on top of account membership — it controls what a user can do inside a specific workspace.
Removing someone from a workspace does not remove them from the account.
Workspace Roles
Workspace roles determine what a user can access within the workspace's applications. A member can hold multiple workspace roles at once:
Workspace roles are the intended end state, but currently these roles are enforced at the account level — meaning they apply uniformly across all workspaces a user can access. Per-workspace role scoping is planned. See Account Membership for the current behaviour.
| Role | Description |
|---|---|
| Platform Admin | Full administrative access to all workspace applications |
| Data Engineer | Access to data pipeline and engineering tools |
| ML Engineer | Access to machine learning features and model management |
| Data Analyst | Access to SQL, dashboards, and analytics tools |
| Business User | Read-only access to reports and dashboards |
| Data Steward | Access to data catalog and governance features |
Workspace roles are mirrored into Apache Ranger by the Keycloak → Ranger role sync. A user assigned data_analyst will be added to the kc_realm_data_analyst Ranger role and inherit any data access policies granted to that role. The sync interval defaults to every 15 minutes and is configurable per workspace via the Ranger bundle input ranger_role_sync_cron_schedule.
See Keycloak → Ranger Role Sync for details.
Assigning vs. Inviting
Workspace membership works differently from account membership:
- Account membership — done via an email invitation to someone outside the platform
- Workspace membership — done by selecting from existing account members; no new invitation is sent
If a person does not yet have an account, they must be invited to the account first, before they can be added to any workspace.
Current UI — Managing Workspace Members
This section describes the current interface. It will be updated when the new Oqullus UI launches.
Assigning a Member to a Workspace
Requires: Account Owner or Admin role
- Open the workspace from My Workspaces in the sidebar.
- Click the Members tab.
- Click Assign Member.
- Search for the account member by email and select them.
- Check one or more Workspace Roles.
- Click Assign.
Updating a Workspace Member's Roles
Requires: Account Owner or Admin role
- Go to the workspace → Members tab.
- Click the pencil icon on the member's row.
- Check or uncheck roles as needed. At least one role must remain selected.
- Click Save.
Removing a Member from a Workspace
Requires: Account Owner or Admin role
- Go to the workspace → Members tab.
- Click the trash icon on the member's row.
- Confirm by clicking Remove.
The member loses workspace access immediately.