Admin
Roles and access
Understand how workspace membership, project membership, and tenant boundaries affect what users can see.
EpistaBase authorization starts with the tenant/workspace boundary and then applies workspace and project membership.
Practical model
| Layer | What it controls |
|---|---|
| Tenant | Organization boundary. Cross-tenant data is not visible. |
| Workspace | Active lab/program context and workspace-level access. |
| Project | Specific project membership and editing rights. |
| Asset grants | Direct access to governed catalog assets where applicable. |
Project roles
Project roles typically include owner, editor, commenter, and viewer. Owners can administer project membership. Editors can work on project content. Commenters and viewers have narrower access.
Workspace roles
Workspace roles are broader. The exact names exposed in the product may vary by deployment, but the important distinction is whether a user can administer the workspace, create/edit scientific records, or only read.
Access symptoms
| Symptom | Likely cause |
|---|---|
| You can sign in but see no project | Workspace or project membership is missing. |
| A search result is absent | Search respects access boundaries. |
| File opens fail | Catalog grant, project membership, or workspace policy may block the read. |
| Provenance is hidden | Feature is disabled for the workspace or unavailable to the user. |