# Configuring access to a workspace

From the **Permissions** section of the [workspace settings page](/fabricate/workspaces/workspaces-manage.md#workspace-settings-display), you manage workspace access to:

* [Account users](/fabricate/fabricate-accounts-and-users/managing-account-users.md)
* [Account groups](/fabricate/fabricate-accounts-and-users/managing-account-groups.md)
* [API keys](/fabricate/fabricate-api/managing-fabricate-api-keys.md)

<figure><img src="/files/MRbKgfzqvBH91oQukUIX" alt=""><figcaption><p>Permissions section of the workspace settings page</p></figcaption></figure>

## About workspace roles

For each user, group, and API key, the assigned role determines the actions that they can perform within the workspace.

The available workspace roles are:

* **Owner -** Every workspace must have at least one owner. The user who creates the workspace is automatically an owner. Other groups, users, and API keys also can be assigned as owners.\
  \
  Owners have full access to the workspace. They can:
  * Create and manage projects.
  * Create and manage databases.
  * Manage workspace access.
* **Editor -** A workspace editor can create and manage projects and databases. They cannot manage access to the workspace.
* **Viewer -** A workspace viewer can view the projects and databases in a workspace and generate data. They cannot change any database configuration.

## About permission hierarchy for groups and users

When you add both users and groups to a workspace, the users always receive the highest permission that was granted to them or to the group that they belong to.

For example, if you add a group as a workspace Viewer, but add a user from that group as an Editor, the user is granted Editor access to the workspace.

On the other hand, if you add a group as a workspace Editor, but add a user from that group as a Viewer, the user is also granted Editor access to the workspace.

## Adding a user to the workspace <a href="#workspace-add-user" id="workspace-add-user"></a>

The user must already be [added to your account](/fabricate/fabricate-accounts-and-users/managing-account-users.md).

To add an account user to the workspace:

1. Click **Add User**.
2. From the dropdown list, select the user to add.
3. By default, the user is granted the Viewer workspace role.\
   \
   To assign a different role, from the **Role** dropdown list, select the role to assign.

## Adding a group to the workspace

The group must already be [added to your account](/fabricate/fabricate-accounts-and-users/managing-account-groups.md).

To add an account group to the workspace:

1. Click **Add Group**.
2. From the dropdown list, select the group to add.
3. By default, the group is granted the Viewer workspace role.\
   \
   To assign a different role, from the **Role** dropdown list, select the role to assign.

## Adding an API key to the workspace <a href="#workspace-add-key" id="workspace-add-key"></a>

The API key must already be [added to your account](/fabricate/fabricate-api/managing-fabricate-api-keys.md).

To add an API key to the workspace:

1. Click **Add API Key**.
2. From the dropdown list, select the API key to add.
3. By default, the API key is granted the Viewer workspace role.\
   \
   To assign a different role, from the **Role** dropdown list, select the new role to assign.

## Changing the role for a user, group, or API key <a href="#workspace-change-role" id="workspace-change-role"></a>

To change an assigned workspace role, from the **Role** dropdown list, select the new role.

Note that each workspace must have at least one workspace owner.

## Removing a user, group, or API key <a href="#workspace-remove-user-key" id="workspace-remove-user-key"></a>

To remove a user, group or API key from the workspace:

1. Click the delete icon for the user or API key.
2. On the confirmation panel, click **Remove \<type>**.

Note that each workspace must have at least one workspace owner.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/fabricate/workspaces/configuring-access-to-a-workspace.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.