# Sharing workspace access
{% hint style="info" %}
**Required license:** Professional or Enterprise
**Required permission**
* **Global permission:** View organization users. This permission is only required for the Tonic Structural application. It is not needed when you use the Structural API.
* **Either:**
* **Workspace permission:** Share workspace access
* **Global permission:** Manage user access to Tonic and to any workspace
{% endhint %}
## About workspace access
Tonic Structural uses workspace permission sets for role-based access (RBAC) of each workspace.
A workspace permission set is a set of [workspace permissions](https://docs.tonic.ai/app/admin/tonic-user-access/permissions/available-permissions#available-workspace-permissions). Each permission provides access to a specific workspace feature or function.
Structural provides [built-in workspace permission sets](https://docs.tonic.ai/app/admin/tonic-user-access/permissions/permission-sets-builtin#permission-sets-builtin-workspace). Enterprise instances can also [configure custom permission sets](https://docs.tonic.ai/app/admin/tonic-user-access/permissions/custom-permission-sets-configuration).
To share workspace access, you assign workspace permission sets to users and, if you use SSO to manage Structural users, to SSO groups.
Before you assign a workspace permission set to an SSO group, make sure that you are aware of who is in the group. The permissions that are granted to an SSO group automatically are granted to all of the users in the group. For information on how to configure Structural to filter the allowed SSO groups, go to [sso-limit-groups](https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups "mention").
## Limitations on workspace sharing
### Cannot remove the owner permission set from the owner
You cannot remove the owner workspace permission set from the workspace owner. By default, the owner permission set is the built-in Manager permission set.
### Cannot grant or remove a permission you do not have
Within a workspace, the **Share workspace access** permission grants you the ability to share access to the workspace.
However, you cannot either grant or revoke access to a workspace permission that you do not have.
For example, for a given workspace, the workspace permission set that is assigned to you includes **Share workspace access**, but does not include **Run data generation**. Because of this, when you share workspace access:
* You cannot grant access to a workspace permission set that includes **Run data generation**.
* You cannot remove access to a workspace permission set that includes **Run data generation**.
Note that this requirement does not apply to users who have the global permission **Manage user access to Tonic and to any workspace**, which is by default granted to **Admin** users. Those users can grant or revoke any workspace permission set.
## Changing the workspace access
To change the current access to the workspace:
Workspace access panel
1. To manage access to a single workspace, either:
* On the workspace management view, in the heading, click the share icon.
* On **Workspaces** view, click the actions menu for the workspace, then select **Share**.
2. To manage access for multiple workspaces:
1. Check the checkbox for each workspace to grant access to.
2. From the **Actions** menu, select **Share Workspaces**.
3. The workspace access panel contains the current list of users and groups that have access to the workspace.\
\
To add a user or group to the list of users and groups, begin to type the user email address or group name. From the list of matching users or groups, select the user or group to add.\
\
Free trial users can invite other users to start their own free trial. Provide the email addresses of the users to invite. The email addresses must have the same corporate email domain as your email address. When the invited users sign up for the free trial, they are added to the Structural organization for the free trial user that invited them and have access to the workspace.
4. For a user or group, to change the assigned workspace permission sets:
1. Click **Access**.\
\
The dropdown list is populated with the list of custom and built-in workspace permission sets.\
\
If you selected multiple workspaces, then on the initial display of the workspace sharing panel, for each permission set that a user or group currently has access to, the list shows the number of workspaces for which the user or group has that permission set.\
\
For example, you select three workspaces. A user currently has Editor access for one workspace and Viewer access for the other two. The Editor permission set has 1 next to it, and the Viewer permission set has 2 next to it.
2. Under **Custom Permission Sets**, check the checkbox next to each workspace permission set to assign to the user or group.\
\
Uncheck the checkbox next to each workspace permission set to remove from the user or group.
3. Under **Built-In Permission Sets**, check the workspace permission set to assign to the user or group. You can only assign one built-in permission set.\
\
By default, for an added user or group, the Editor permission set is selected.\
\
To select a built-in workspace permission set that is lower in access than the currently selected permission set, you must first uncheck the selected permission set.\
\
For example, if Editor is currently checked, then to change the selection to Viewer, you must first uncheck Editor.
5. To remove all access for a user or group, and remove the user or group from the list, click **Access**, then click **Revoke**.
6. To save the new access, click **Save**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tonic.ai/app/workspace/workspace-access-management/workspace-sharing.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
