Advanced access control
At a glance
Beyond roles, advanced access control lets you adjust permissions on a per-member basis and restrict access to specific resources (spaces, data sources, documents, spreadsheets, calendars). Use individual overrides to grant or deny one-off permissions, and per-resource ACLs to protect sensitive data.
Practical example: an editor normally has access to all ontology spaces, but you want to block their access to the "Confidential HR" space. Add a deny override on
ontology.viewfor that specific resource.
Before you begin
- You must have the Owner or Administrator role to manage overrides and ACLs.
- Roles and permissions must be configured.
Key vocabulary
| Term | Meaning | Example |
|---|---|---|
| Override | A permission adjustment specific to a member (grant or deny). | Deny ontology.view for Marie |
| ACL | Access control list on a specific resource. | Space "Finance": read access for Jean |
| Grant | Add a permission that the role does not provide. | Give workflow.execute to a viewer |
| Deny | Remove a permission despite the role. | Block agent.execute for an editor |
| Expiration | Date on which an override automatically ceases. | Temporary access until 03/31/2026 |
Steps
Manage per-member overrides
Overrides let you adjust a member's permissions without changing their role:
- Open Settings > Permissions > Members tab.
- Click on the relevant member.
- Scroll down to the Overrides section.
- For each permission, choose:
| Action | Effect | Use case |
|---|---|---|
| Grant | The member gains this permission in addition to their roles. | Give temporary access to a module. |
| Deny | The member loses this permission even if their roles provide it. | Block access to a sensitive module. |
| Default | The permission depends solely on assigned roles. | Revert to standard behavior. |
A deny always takes priority. If a role grants ontology.edit but an override denies this permission, the member will not be able to edit the ontology.
Configure a temporary override
To grant time-limited access:
- Add a Grant override on the desired permission.
- Enable the Expiration option.
- Select the end date.
- Upon expiration, the override is automatically removed and the member reverts to their role-based permissions.
Example: an external contractor needs to execute workflows for 2 weeks. Grant
workflow.executewith an expiration set to the last day of their assignment.
View effective permissions
The Effective permissions section displays the combined result of all roles and overrides for the member:
- Open the member's detail in the Members tab.
- Check the Effective permissions matrix at the bottom of the page.
- Each cell indicates whether the permission is active (coming from a role or an override).
Manage per-resource access (ACL)
ACLs control access to an individual resource, regardless of global permissions:
- Open Settings > Permissions > Data access tab.
- Select the resource type:
| Type | Description | Example |
|---|---|---|
| Spaces | Ontology spaces (canvas). | Space "Logistics" |
| Sources | Live Data data sources. | Source "Supplier API" |
| Documents | Knowledge base documents. | Document "Internal procedures" |
| Spreadsheets | Collaborative spreadsheets. | Spreadsheet "Budget 2026" |
| Calendars | Shared calendars. | Calendar "Team schedule" |
- Enter the resource identifier.
- Click Load to see existing access entries.
Add access to a resource
- In the resource ACL view, click Add access.
- Select the member.
- Choose the access level:
| Level | Description |
|---|---|
| View | Read-only on this resource. |
| Edit | Read and modify. |
| Administer | Read, modify, and manage access. |
- Save. Access is applied immediately.
Remove access
- In the resource's access list, click the delete icon.
- Confirm the removal. The member immediately loses access to this resource.
How permissions are calculated
The priority order is as follows:
- Owner: full access (no restriction possible).
- Deny overrides: always take priority over roles.
- System + custom roles: permissions from all roles are combined.
- Grant overrides: add additional permissions.
- Per-resource ACLs: restrict access to individual resources.
Expected result
Your access is controlled at two levels: global permissions (roles + overrides) define what a member can do per module, while per-resource ACLs define which specific data they can act on. Every change is traced in the security logs.
Limitations and common errors
| Situation | Solution |
|---|---|
| A deny does not apply | Check that the member is not an Owner (owners have unrestricted full access). |
| The override has disappeared | It may have had an expiration date. Recreate it if necessary. |
| A member accesses an ACL-protected resource | Verify that the ACL is properly configured on that specific resource. |
| "Access denied" despite an editor role | Check overrides: an individual deny takes priority over role permissions. |
| The ACL does not appear | Verify that the resource exists and that the identifier is correct. |
Switching workspaces
The workspace selector is located in the left sidebar, just below the logo. It lets you switch between your different workspaces in one click.
When you switch workspaces, the page automatically reloads to display the data from the new workspace. Your choice is remembered: on your next login, you will return to the last selected workspace.
| Action | Who can do it? |
|---|---|
| Switch workspace | All members |
| Create a workspace | Owner or Administrator |
| Manage workspaces | Owner or Administrator |
When the sidebar is collapsed, the workspace icon remains visible. Hover over it to see the name of the active workspace.
Need help?
Contact us: Support and contact.