Previous
NotificationsNext
OverviewRoles, Permissions & Sharing
Control who can access and modify resources in your workspace with a powerful two-tier authorization system.
Collab.space uses a combination of role-based access control (RBAC) for workspace-wide permissions and Zanzibar-style record access rules for fine-grained resource sharing. This gives you complete control over who can do what in your workspace.
How Authorization Works
When a user tries to perform an action on a resource, the system checks two things:
- Record Access - Does the user have access to this specific resource? (via ownership or sharing)
- Role Permission - Does the user's role allow them to perform this action?
Both conditions must be met for the action to be allowed.
Workspace Roles
Every member of a workspace is assigned a role that determines their baseline permissions across all resources.
Default Roles
| Role | Description | Key Capabilities |
|---|---|---|
| Space Owner | Full ownership of the workspace | All actions including archive/delete workspace |
| Administrator | Full feature access with management capabilities | All resource actions, invite/remove members, manage teams |
| Contributor | Can create and edit items | Create, read, update resources; manage teams |
| Approver | Review and approval only | Read resources, publish documents |
| View Only | Read-only access | View all resources, no editing |
| Disabled | No access | Cannot access workspace |
Role Permissions by Resource
Each role has specific permissions for different resource types:
| Role | Documents | Files | Issues | Meetings | Milestones |
|---|---|---|---|---|---|
| Space Owner | Full | Full | Full | Full | Full |
| Administrator | Full | Full | Full | Full | Full |
| Contributor | Create, Edit, Comment | Create, Edit, Comment | Create, Edit, Assign | Create, Edit | Create, Edit |
| Approver | Read, Publish | Read | Read | Read | Read |
| View Only | Read | Read | Read | Read | Read |
Resource Sharing (Zanzibar-style Permissions)
Beyond roles, you can share individual resources with specific members, teams, or organizations.
Access Levels
When sharing a resource, you assign an access level that determines what the recipient can do:
| Level | Capabilities |
|---|---|
| Owner | Full control - edit, delete, share, manage permissions |
| Editor | Can modify the resource and add comments |
| Viewer | Read-only access to the resource |
Who Can Be Granted Access
You can share resources with:
- Individual Members - Grant access to specific people in your workspace
- Teams - All members of a team automatically get access
- Organizations - All members of an organization automatically get access
Sharing a Resource
- Open the resource (document, file, issue, or meeting)
- Click the Share button or access control icon
- Search for and select members, teams, or organizations
- Choose their access level (Owner, Editor, or Viewer)
- Click Save to apply changes
Visibility Modes
Resources have three visibility modes that control their default access:
Private
Only the owner can access the resource by default.
- Best for: Drafts, sensitive information, personal notes
- Sharing: Can still be shared explicitly with specific people
- Default for: Newly created resources
Custom
Access is controlled entirely by the explicit share list.
- Best for: Collaborative work with specific team members
- Sharing: Only people in the share list can access
- Automatically applied: When you share a private resource
Inherit
The resource inherits access permissions from its parent.
- Best for: Documents in folders, sub-issues
- Sharing: Follows parent's permissions automatically
- Useful for: Maintaining consistent access within hierarchies
Common Use Cases
Team-Only Access
Share a resource with an entire team so all team members can collaborate:
- Open the resource and click Share
- Select the team from the dropdown
- Set access level to Editor for collaboration
- Save changes
All current and future team members will have access.
Organization-Wide Viewing
Allow everyone in an organization to view a resource while limiting edits:
- Open the resource and click Share
- Select the organization
- Set access level to Viewer
- Optionally add specific editors individually
- Save changes
Mixed Access Levels
Grant different access levels to different groups:
Resource: Q4 Planning Document
- Marketing Team: Editor (can make changes)
- Engineering Org: Viewer (can read only)
- Sarah Johnson: Owner (full control)
This is achieved by adding multiple share entries with different access levels.
Permission Inheritance
When resources have parent-child relationships (like documents in folders or sub-issues), you can use inheritance to simplify permission management.
How Inheritance Works
- Set the child resource's visibility to Inherit
- The child automatically uses the parent's access permissions
- Changes to the parent's permissions flow down to children
- Maximum inheritance depth: 10 levels
When to Use Inheritance
- Documents in folders - Keep folder structure consistent
- Sub-issues - Match parent issue permissions
- Related records - Maintain access consistency
Best Practices
Start Private, Share as Needed
New resources default to private. Share them only with people who need access rather than making everything visible.
Use Teams for Group Access
Instead of sharing with many individuals, create a team and share with the team. This makes access management easier when people join or leave.
Leverage Roles for Baseline Access
Set appropriate roles for workspace members so they have reasonable default access. Use sharing for exceptions.
Review Permissions Regularly
Periodically check who has access to sensitive resources and remove access for people who no longer need it.
Space Management Permissions
Some actions apply to the workspace itself rather than individual resources:
| Action | Space Owner | Administrator | Contributor | Approver | View Only |
|---|---|---|---|---|---|
| Update Settings | Yes | Yes | No | No | No |
| Invite Members | Yes | Yes | No | No | No |
| Remove Members | Yes | Yes | No | No | No |
| Manage Teams | Yes | Yes | Yes | No | No |
| Manage Organizations | Yes | Yes | No | No | No |
| Archive Workspace | Yes | No | No | No | No |
| Delete Workspace | Yes | No | No | No | No |
Related Documentation
- Documents Access Control - Document-specific permissions
- Meetings Access Control - Meeting-specific permissions
- Issues Overview - Issue access control
- Files Overview - File sharing and permissions