Managing Access

Add users to workspaces, assign roles, and control who can access your resources. For background on the authorization model, refer to Authorization Concepts. For what each role can do, refer to Roles & Permissions.

Creating Workspaces

Workspaces are the primary authorization boundary — all resources belong to a workspace, and access is controlled at the workspace level. When you create a workspace, you automatically become its Admin.

Create separate workspaces to isolate teams (ml-research, nlp-team), environments (dev, staging, prod), or projects. For detailed workspace management, refer to Workspaces.

$
nemo workspaces create ml-team
$
$
# Set the workspace as your default for subsequent commands
$
nemo config set --workspace ml-team

Managing Workspace Members

Members are users who have been granted access to a workspace. Each member has one of three roles:

• Viewer — Read-only access to all resources
• Editor — Can create, modify, and delete resources
• Admin — Full control, including managing members

Add a Member

Grant someone access to a workspace by adding them as a member with a specific role. The principal is typically an email address that identifies the user in your identity provider.

$
nemo workspaces members create --principal alice@example.com --roles Editor --workspace ml-team

1
{
2
  "principal": "alice@example.com",
3
  "roles": [
4
    "Editor"
5
  ],
6
  "granted_at": "2026-01-20T10:00:00Z",
7
  "granted_by": "admin@example.com"
8
}

List Members

View all members of a workspace to audit access or verify permissions. The response includes each member’s principal, roles, and when access was granted.

$
nemo workspaces members list --workspace ml-team

1
[
2
  {
3
    "principal": "alice@example.com",
4
    "roles": [
5
      "Editor"
6
    ],
7
    "granted_at": "2026-01-20T10:00:00Z",
8
    "granted_by": "admin@example.com"
9
  },
10
  {
11
    "principal": "bob@example.com",
12
    "roles": [
13
      "Viewer"
14
    ],
15
    "granted_at": "2026-01-20T10:01:00Z",
16
    "granted_by": "admin@example.com"
17
  },
18
  {
19
    "principal": "charlie@example.com",
20
    "roles": [
21
      "Admin"
22
    ],
23
    "granted_at": "2026-01-20T10:02:00Z",
24
    "granted_by": "admin@example.com"
25
  }
26
]

Update Member Roles

Change a member role to adjust their permissions, for example, promoting a Viewer to Editor when they need to create resources.

$
nemo workspaces members update bob@example.com --roles Editor --workspace ml-team

Remove a Member

Revoke a member’s access by removing them from the workspace. This removes all their role bindings in the workspace — they will no longer be able to access any resources unless re-added.

$
nemo workspaces members delete alice@example.com --workspace ml-team

Granting Access to All Users

Use the wildcard principal * to grant a role to all authenticated users. This is useful for shared workspaces where you want broad access without adding each user individually.

Common use cases:

• Shared datasets — Grant Viewer to * so everyone can use common training data
• Team shared space — Grant Editor to * for a workspace where anyone can experiment
• Published models — Grant Viewer to * for production models that everyone should access

Make a Workspace Readable by Everyone

Grant the Viewer role to * so all authenticated users can view resources.

$
nemo workspaces members create --principal "*" --roles Viewer --workspace shared-models

1
{
2
  "principal": "*",
3
  "roles": [
4
    "Viewer"
5
  ],
6
  "granted_at": "2026-01-20T10:05:00Z",
7
  "granted_by": "admin@example.com"
8
}

Make a Workspace Editable by Everyone

Grant the Editor role to * so all authenticated users can create and modify resources.

$
nemo workspaces members create --principal "*" --roles Editor --workspace shared-datasets

Remove Public Access

Remove the wildcard binding to restrict the workspace to explicit members only.

$
nemo workspaces members delete "*" --workspace ml-team

Admin Protection

Every workspace must have at least one Admin to prevent orphaned workspaces. The platform enforces this rule:

• You cannot remove the last Admin from a workspace
• You cannot change the last Admin’s role to Viewer or Editor

If you need to leave a workspace where you are the only Admin, add another Admin first:

$
# Add another admin first
$
nemo workspaces members create --principal charlie@example.com --roles Admin --workspace ml-team
$
$
# Now you can remove yourself
$
nemo workspaces members delete alice@example.com --workspace ml-team

Platform Admin Access

The PlatformAdmin role (set using admin_email in config) has full access to all workspaces and bypasses authorization checks. PlatformAdmin is typically used for initial platform setup, creating the first workspaces and granting Admin roles to team leads. After bootstrap, day-to-day access management should use workspace-level members (above).

For details on configuring the platform admin, refer to Auth Configuration. For the full security implications, refer to Security Model.

Deleting Workspaces

Admins can delete workspaces they manage. However, a workspace cannot be deleted if it contains resources (projects, datasets, models, and so on). The API returns a 409 Conflict error listing which entity types exist:

1
{
2
  "detail": "Cannot delete workspace 'ml-team': workspace contains entities that must be deleted first: project (3), dataset (5)"
3
}

Delete all resources in the workspace before deleting the workspace itself:

$
# List and delete projects first
$
nemo projects list --workspace ml-team
$
nemo projects delete my-project --workspace ml-team
$
$
# Then delete the workspace
$
nemo workspaces delete ml-team