# Configuring access to a workspace

From the **Permissions** section of the workspace settings page, you manage workspace access to [organization users](https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/managing-account-users) and to [API keys](https://docs.tonic.ai/fabricate/fabricate-api-and-cli/managing-fabricate-api-keys).

## About workspace roles

For each user and API key, the assigned role determines the actions that they can perform within the workspace.

The available workspace roles are:

* **Owner -** Every workspace must have at least one owner. The user who creates the workspace is automatically an owner. Other users and API keys also can be assigned as owners.\
  \
  Owners have full access to the workspace. They can:
  * Create and manage databases.
  * Manage workspace access.
* **Editor -** A workspace editor can create and manage databases. They cannot manage access to the workspace.
* **Viewer -** A workspace viewer can view the databases in a workspace and generate data. They cannot change any database configuration.

## Adding a user to the workspace <a href="#workspace-add-user" id="workspace-add-user"></a>

The user must already be [added to your account](https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/managing-account-users).

To add an account user to the workspace:

1. Click **Add User**.
2. From the dropdown list, select the user to add.
3. By default, the user is granted the Viewer workspace role.\
   \
   To assign a different role, from the **Account Role** dropdown list, select the new role to assign.

## Adding an API key to the workspace <a href="#workspace-add-key" id="workspace-add-key"></a>

The API key must already be [added to your account](https://docs.tonic.ai/fabricate/fabricate-api-and-cli/managing-fabricate-api-keys).

To add an API key to the workspace:

1. Click **Add API Key**.
2. From the dropdown list, select the API key to add.
3. By default, the API key is granted the Viewer workspace role.\
   \
   To assign a different role, from the **Account Role** dropdown list, select the new role to assign.

## Changing the role for a user or API key <a href="#workspace-change-role" id="workspace-change-role"></a>

To change an assigned workspace role, from the **Account Role** dropdown list, select the new role.

Note that each workspace must have at least one workspace owner.

## Removing a user or API key <a href="#workspace-remove-user-key" id="workspace-remove-user-key"></a>

To remove a user or API key from the workspace:

1. Click the **Remove** option for the user or API key.
2. On the confirmation panel, click **Remove User** or **Remove API Key**.

Note that each workspace must have at least one workspace owner.