Skip to main content

Overview

Access controls decide who can read, edit or change permissions to each file and folder in your context repository. They apply to two kinds of principals:
  • Users: workspace members
  • API keys: how clients and agents that connect to your context repository
Access controls build on role-based, workspace-wide permissions. Roles (Owner, Admin, Member) set a baseline for the whole workspace; access controls refine that baseline down to individual files and folders. See Member settings for how roles work.

Access levels

Every grant is one of four levels.
LevelWhat it allows
No accessCannot see or retrieve the file or folder
Can readRead and retrieve content only
Can editRead and change content
Full accessRead, edit, and manage access (grant or revoke access for others)

How access is inherited

Access is evaluated as a chain, from the top of the repository down to the file or folder you are looking at:
  1. The workspace baseline set by each member’s role
  2. The access set on each parent folder, from the outermost folder inward
  3. The access set on the file or folder itself
The most specific grant wins. Granting access on a folder applies to everything inside it, so you can manage a whole branch of the repository in one place and refine individual files or subfolders where needed.
Access can be widened deeper in the tree, not narrowed.A file or folder can grant more access than it inherits, but it cannot take away access that was granted higher up. To restrict a branch, set the narrower access on the parent folder.

Access controls for users

Every member gets a default level of access across the whole repository. You can then customize access for individual files and folders on top of that default.

Default access

The access that applies across the repository by default is managed in your context repository settings. Set it once here, and every file and folder inherits it unless a more specific grant overrides it.
1
Open your context repository settings.Context Repository Settings
2
Choose Can read, Can edit, or Full access, or set No access to remove the default grant.

Customize access for a file or folder

Grant individual members access to a specific file or folder. This is how you give a group Can edit on its own area of the repository while keeping everyone else at Can read, or hide a sensitive folder from everyone except its owners. Access for a file or folder is managed in the Access management section of its settings.
1
In Context, open the settings of the file or folder you want to manage.
2
Add a member or change the level of one already listed.
3
Choose Can read, Can edit, or Full access, or set No access to remove the grant.
Roles still apply.Access controls build on top of workspace roles. A member’s role sets their baseline across the workspace; default, folder, and file access refine it. See Member settings.

Access controls for API keys

An API key’s access decides what the clients and agents using it can retrieve and change. When you create a key, you choose how it gets that access:
  • Inherit permissions: the key mirrors the read and edit access of the user who owns it, and stays in sync as that access changes. It never gains Full access, even where the user has it.
  • Manually manage: set the key’s access yourself, so it is independent of any user. A manually managed key can hold different levels on different files and folders, letting you scope each client to exactly the context it needs.

In API key settings

Use this when you are working from a key and want to decide which parts of the repository it can reach. This is the per-key view of everything you would otherwise set file by file.
1
Open Clients and select the API key you want to manage.
2
Go to its Access controls tab to see every file and folder the key can reach.
3
Add a file or folder and choose Can read or Can edit, or change an existing grant.

In file / folder settings

Use this when you are working from a file or folder and want to decide which keys can reach it. API keys appear in the same Access management section as users.
1
In Context, open the settings of the file or folder and go to Access management.
2
Add a key or change the level of one already listed.
3
Choose Can read or Can edit, or set No access to remove the grant.
Use this when you are working from a key and want to decide which parts of the repository it can reach. This is the per-key view of everything you would otherwise set file by file. An API key can hold different levels on different files and folders, so you can scope each client to exactly the context it needs.
API keys cannot be granted Full access.An API key can be granted Can read or Can edit, but never Full access. Managing access stays with users.