Sharing data and tools with workspace permissions

Anton Kovalsky
  • Updated

Learn how to control who can access tools, data, and results and incur costs in your workspace. Terra workspaces have three access levels: READERWRITER, and OWNER. Each access level represents an expanded set of permissions. Note: if you're already familiar with how this works for Terra-on-Google, the only difference is Azure does not support the can-compute and can-share roles.

Before sharing with someone who doesn't have access to the workflowsUsers with access to a workspace get access to job history and the workflow - even if the workflow isn't public or shared. Best practice: If you don’t want someone to see your work, don’t share your workspace with them.

Workspace roles and what they allow collaborators to do





Associated Azure cloud costs Storage, compute, query

Store data

Add data to workspace storage



Role description Add/remove users, lock workspace, etc Write to/add tables, workflow configs, etc Read tables, method configs etc

Workspace permissions determine who can charge to your Billing project! A collaborator does not have to be a billing project user to incur costs. Writers and Owners can incur costs. The Terra Billing project associated with the workspace pays all cloud costs for actions done in a workspace, no matter who incurs the cost. You control who can charge costs to the Billing project by assigning roles in a shared workspace.

READER access details


  • Enter the workspace and view its contents
  • Clone the workspace
  • Copy data and tools (workflows and/or notebooks) from that workspace to one where they have WRITER or OWNER access. Note that this can incur Azure Cloud bandwidth charges (see Azure Cloud bandwidth pricing). 

A READER cannot

  • Make changes to data tables (add/delete entities, edit metadata)
  • Add/delete workflows or workflow configurations
  • Edit workflows or workflow configurations
  • Launch a workflow or interactive analysis app (i.e., spin up a Cloud Environment) 
  • Abort workflow submissions

WRITER access details

A WRITER has all the permissions of a READER, and can also

  • Make changes to data tables (add/delete entities, edit metadata)
  • Delete/edit data in tables
  • Add/modify data in tables
  • Copy entities from a data table in another workspace, provided they have at least READER access to the source workspace
  • Upload data tables and their data files directly to workspace
  • Add/modify/delete workflows or workflow configurations
  • Edit workflows and workflow configurations within the workspace

OWNER access details

An OWNER access has all the permissions of a WRITER, and, in addition, can

  • Edit the workspace Access Control Levels (i.e., add and change collaborator roles)
  • Delete a workspace

When you create or clone a workspace, you are the OWNER.

Was this article helpful?



Please sign in to leave a comment.