Overview
Access controls decide who can read, edit or change permissions to each file and folder in your context repository. They apply to two kinds of principals:- Users: workspace members
- API keys: how clients and agents that connect to your context repository
Access levels
Every grant is one of four levels.| Level | What it allows |
|---|---|
| No access | Cannot see or retrieve the file or folder |
| Can read | Read and retrieve content only |
| Can edit | Read and change content |
| Full access | Read, edit, and manage access (grant or revoke access for others) |
How access is inherited
Access is evaluated as a chain, from the top of the repository down to the file or folder you are looking at:- The workspace baseline set by each member’s role
- The access set on each parent folder, from the outermost folder inward
- The access set on the file or folder itself
Access can be widened deeper in the tree, not narrowed.A file or folder can grant more access than it inherits, but it cannot take away access that was granted higher up. To restrict a branch, set the narrower access on the parent folder.
Access controls for users
Every member gets a default level of access across the whole repository. You can then customize access for individual files and folders on top of that default.Default access
The access that applies across the repository by default is managed in your context repository settings. Set it once here, and every file and folder inherits it unless a more specific grant overrides it.Customize access for a file or folder
Grant individual members access to a specific file or folder. This is how you give a group Can edit on its own area of the repository while keeping everyone else at Can read, or hide a sensitive folder from everyone except its owners. Access for a file or folder is managed in the Access management section of its settings.Roles still apply.Access controls build on top of workspace roles. A member’s role sets their baseline across the workspace; default, folder, and file access refine it. See Member settings.
Access controls for API keys
An API key’s access decides what the clients and agents using it can retrieve and change. When you create a key, you choose how it gets that access:- Inherit permissions: the key mirrors the read and edit access of the user who owns it, and stays in sync as that access changes. It never gains Full access, even where the user has it.
- Manually manage: set the key’s access yourself, so it is independent of any user. A manually managed key can hold different levels on different files and folders, letting you scope each client to exactly the context it needs.
In API key settings
Use this when you are working from a key and want to decide which parts of the repository it can reach. This is the per-key view of everything you would otherwise set file by file.In file / folder settings
Use this when you are working from a file or folder and want to decide which keys can reach it. API keys appear in the same Access management section as users.
Use this when you are working from a key and want to decide which parts of the repository it can reach. This is the per-key view of everything you would otherwise set file by file.
An API key can hold different levels on different files and folders, so you can scope each client to exactly the context it needs.
API keys cannot be granted Full access.An API key can be granted Can read or Can edit, but never Full access. Managing access stays with users.
