Guides
Workspaces
Multi-environment isolation per team or lifecycle stage within a tenant.
Overview
Workspaces let a tenant separate policies, AI assets, and observability data per environment or per team, while still sharing tenant-level resources such as AI Providers, the audit chain, and compliance subscriptions. The pattern follows enterprise SaaS practice: one organisation (tenant) containing several workspaces (sub-isolation).
Common use cases:
- Environment separation —
production,staging, anddevelopmentas separate workspaces, each with their own policy and asset registry. - Team isolation — separation by functional team with distinct policies and model allowlists.
- Compliance scope — a workspace for sensitive data with stricter policies and longer audit retention.
- Pilot vs production — an isolated workspace for internal experiments before rolling out to production.
Audience for this page: tenant administrators structuring workspaces, and workspace_admin users managing members.
Concepts
| Term | Definition |
|---|---|
| Workspace | A sub-isolation inside a tenant. Policies, assets, and request logs are scoped per workspace ID. |
| Default workspace | The workspace automatically selected at user login. Exactly one per tenant. |
| workspace_admin | A workspace-level role. Manages workspace members and metadata. |
| workspace_member | Day-to-day operational access to the workspace's policies and assets. |
| workspace_viewer | Read-only — suitable for auditors or external observers. |
| Tenant-level resources | Resources shared across every workspace in the tenant. |
| Workspace-level resources | Resources scoped per workspace. |
Tenant vs workspace scope
| Resource | Scope |
|---|---|
| Users | Tenant — members assigned to workspaces through membership |
| AI Providers (BYOK) | Tenant — one provider credential serves every workspace |
| API Keys | Tenant — optional workspace binding is being evaluated on the roadmap |
| Audit chain | Tenant — entries chained together for integrity |
| Compliance subscriptions | Tenant — framework subscription at the tenant level |
| Policies | Workspace — tuning and priority per workspace |
| Asset registry | Workspace — multi-environment isolation |
| Observability filters | Workspace — dashboard scope per workspace |
Setup
Prerequisites
- The admin role in the tenant to create or archive workspaces.
- The workspace_admin or tenant admin role to manage members.
- A clear picture of the team or environment structure to isolate.
Create a new workspace
Open Workspaces
Select Workspaces from the sidebar.
Create workspace
Click Create workspace in the top-right.
Fill the form
- Name: display name (e.g. "Production", "Treasury Team").
- Slug: derived automatically from the name and editable manually. The slug format uses lowercase letters and digits with hyphens as separators; no spaces or other punctuation.
- Description (optional).
Submit
Click Create workspace.
A new workspace is active with one member — the creating administrator is automatically assigned as workspace_admin.
Set the default workspace
The default workspace is the workspace auto-selected at user login. Exactly one per tenant. To change the default:
Open the row action
Pick the target workspace on the list page.
Set as default
The previous workspace releases the default flag; the new workspace receives it.
Manage members
A tenant administrator or workspace_admin can add or remove members.
Open the workspace detail
Navigate to /workspaces/{id}.
Add a member
Workspace members section → Add member.
Pick the user
Search by name or email; the list contains active users who are not yet members.
Pick a role
workspace_admin, workspace_member, or workspace_viewer.
Submit
Click Add member.
Update a member's role
Role selection is available inline on the Role column of the members table. A tenant administrator or workspace_admin can change the role; the update is persisted immediately.
Remove a member
The Remove button on the Actions column. Self-removal is prevented by the UI to avoid accidental lock-out.
Usage
Switching the active workspace
The workspace switcher dropdown in the sidebar:
Open the switcher
Click the active workspace avatar or name.
Pick the target workspace
The session token is refreshed automatically, so the new workspace scope applies from the next request.
Auto refresh
Dashboard data is refetched with the new workspace scope.
Workspace switching is a server-side, immediate operation — state is derived from the token, not from client storage.
Archive a workspace
A soft archive: the workspace status becomes archived. The audit chain and history are retained.
Enforced constraints:
- The default workspace cannot be archived. Set another workspace as the default first.
- The last active workspace cannot be archived. A tenant must retain at least one active workspace.
Open the row action or the detail page
Pick Archive.
Confirm the name
Type the workspace name exactly to enable the button.
Submit
Click Archive workspace.
After archiving, the workspace is no longer shown in the switcher; the detail page remains accessible via direct URL for the audit trail.
Compliance mapping
Per-clause mapping detail and the evidence package are delivered in a separate procurement document — contact support@monago.io.
Troubleshooting
"100 workspaces limit reached"
The tenant has a default cap. Options:
- Archive workspaces that are no longer in use.
- Contact support to raise the cap at production scale.
"The default workspace cannot be archived"
Set another workspace as the default first, then archive the old workspace.
"At least one active workspace required"
Create a new workspace before archiving the last one.
"User is already a member of this workspace"
Each user has at most one membership per workspace. Update the role through the inline editor on the members table if a different role is needed.
The workspace switcher doesn't update after switching
Refresh the page. If the issue persists, log out and back in to refresh the session token.
FAQ
Are AI Providers (BYOK) shared across workspaces?
Yes. AI Providers is a tenant-level resource. One OpenAI key serves every workspace. Workspace scope is applied through policies (model allowlists) and the asset registry.
Can one user be in multiple workspaces?
Yes. A user can be assigned to multiple workspaces with different roles. The switching endpoint allows changing between workspaces where the user holds membership.
What's the difference between workspace_admin and the tenant administrator?
| Action | Tenant administrator | workspace_admin |
|---|---|---|
| Create workspace | Yes | No |
| Archive workspace | Yes | No |
| Set the default workspace | Yes | No |
| Manage members | Every workspace | Only their workspace |
| Edit workspace metadata | Every workspace | Only their workspace |
| Manage AI Providers | Yes | No (tenant-level) |
| Manage Users (tenant-level) | Yes | No (tenant-level) |
Can I rename a workspace after creation?
Yes — the name is editable. The slug is immutable because it is a reference held by the audit log and URL bookmarks.
What happens if I archive the workspace I'm currently in?
The UI redirects to the list page after a successful archive. The workspace switcher automatically picks the default workspace via a session refresh. No data is lost.
What happens if my tenant is deleted?
Deleting a tenant releases every workspace, membership, policy, and asset associated with it. Confirm with support before performing destructive operations.
Related
- BYOK — AI provider credentials (tenant-level scope).
- Policies — governance DSL per workspace.
- Risk — signal scoring per workspace.
- Compliance — framework readiness aggregate.