Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
1.4.1. Workspace and Item-Level Access Controls
đź’ˇ First Principle: Workspace roles provide coarse-grained access; item permissions provide fine-grained control. The effective permission is the union of both.
Scenario: A workspace contains sensitive financial reports and general operational dashboards. All team members need the dashboards, but only Finance Managers need the financial reports.
Workspace Roles
| Role | Capabilities |
|---|---|
| Admin | Full control, manage membership, delete workspace |
| Member | Create, edit, delete items; share items |
| Contributor | Create and edit items; no delete or share |
| Viewer | View items only |
Item-Level Permissions
- Purpose: Grant access to specific items without workspace role
- Use Case: Sharing a single report with users outside the workspace
- Implementation: Item → Manage Permissions → Add users/groups
⚠️ Common Pitfall: Assuming workspace Viewer role grants read access to underlying data. Viewing a report doesn't grant access to query the lakehouse directly—separate data permissions are required.