Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.4.1. Workspace and Item-Level Access Controls

💡 First Principle: Workspace roles provide coarse-grained access (floor access); item permissions provide fine-grained control (individual room keys). The effective permission is the union of both—meaning someone can have item access without a workspace role.

Scenario: A workspace contains sensitive financial reports and general operational dashboards. All team members need the dashboards, but only Finance Managers need the financial reports.

Workspace Roles

RoleCapabilities
AdminFull control, manage membership, delete workspace
MemberCreate, edit, delete items; share items
ContributorCreate and edit items; no delete or share
ViewerView items only

Item-Level Permissions

  • Purpose: Grant access to specific items without workspace role
  • Use Case: Sharing a single report with users outside the workspace
  • Implementation: Item → Manage Permissions → Add users/groups

Permission Interaction: Workspace + Item + Data

Understanding how permissions combine is critical for exam scenarios:

User Has...Can They Access Item?Can They Query Data?
Workspace Viewer only✅ View reports❌ No direct query
Item permission only✅ That item only❌ No direct query
Workspace Memberâś… All itemsâś… Yes (create/edit)
Item permission + SQL permissionsâś… That itemâś… Yes (if granted)
Decision Framework: When to Use What
ScenarioUse ThisWhy
Team needs full collaborationWorkspace Member/ContributorSimplest for ongoing work
External user needs one reportItem permission (Viewer)No workspace access needed
User needs to query lakehouse tablesSQL GRANT + workspace accessData permissions are separate
Temporary access for auditItem permission with expiryRemove access automatically

⚠️ Exam Trap: Workspace Viewer role grants access to VIEW items, not to QUERY underlying data. Viewing a report doesn't grant access to query the lakehouse directly—separate data permissions are required. This distinction frequently appears in exam scenarios.

⚠️ Common Pitfall: Granting Workspace Admin when Member would suffice. Admins can delete the workspace and manage membership—capabilities most users don't need. Follow least-privilege principles.

Alvin Varughese
Written byAlvin Varughese
Founder•15 professional certifications