Controlling access to data and tools (workspace permissions)

Anton Kovalsky
  • Updated

Learn how to control who can access tools, data, and results and incur costs in your workspace. Terra workspaces have three access levels: READERWRITER, and OWNER. Each access level represents an expanded set of permissions. Note: if you're already familiar with how this works for Terra-on-Google, the only difference is Azure does not support the can-compute and can-share roles.

Before sharing with someone who doesn't have access to the workflowsUsers with access to a workspace get access to job history and the workflow - even if the workflow isn't public or shared. Best practice: If you don’t want someone to see your work, don’t share your workspace with them.

Workspace roles and what they allow collaborators to do





Associated Azure cloud costs Storage, compute, query

Storage, compute, query

Add data to workspace storage

Run workflows, JupyterLab



Role description Add/remove users, lock workspace, etc Write to/add tables, add data to workspace or Jupyter VM storage, run workflows or JupyterLab Read tables, workflow configs and submission history, etc.

Workspace permissions determine who can charge to your Billing project! A collaborator does not have to be a billing project user to incur costs. Writers and Owners can incur cloud storage and compute costs. The Terra Billing project associated with the workspace pays all cloud costs for actions done in a workspace, no matter who incurs the cost. You control who can charge costs to the Billing project by assigning roles in a shared workspace.

READER access details


  • Enter the workspace and view its contents
  • Clone the workspace
  • Copy data and tools (workflows and/or notebooks) from that workspace to one where they have WRITER or OWNER access. Note that this can incur Azure Cloud bandwidth charges (see Azure Cloud bandwidth pricing). 

A READER cannot

  • Make changes to data tables (add/delete entities, edit metadata)
  • Add/delete workflows or workflow configurations
  • Edit workflows or workflow configurations
  • Launch a workflow or interactive analysis app (i.e., spin up a Cloud Environment) 
  • Abort workflow submissions

WRITER access details

A WRITER has all the permissions of a READER, and can also

  • Make changes to data tables (add/delete entities, edit metadata)
  • Upload data tables and their data files directly to the workspace
  • Add data to workspace cloud storage
  • Copy entities from a data table in another workspace, provided they have at least READER access to the source workspace
  • Add/modify/delete workflows or workflow configurations
  • Run workflows
  • Add/modify/delete Jupyter Notebooks from the workspace
  • Run JupyterLab
  • Add data to Jupyter Cloud Environment Persistent Disk Storage 

OWNER access details

An OWNER access has all the permissions of a WRITER and, in addition, can

  • Edit the workspace Access Control Levels (i.e., add and change collaborator roles)
  • Delete a workspace

When you create or clone a workspace, you are the OWNER.

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.