> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/nemo-platform/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/nemo-platform/_mcp/server. # Managing Access Add users to workspaces, assign roles, and control who can access your resources. For background on the authorization model, refer to [Authorization Concepts](/documentation/access-control/concepts). For what each role can do, refer to [Roles & Permissions](/documentation/access-control/authorization/roles-and-permissions). The SDK examples on this page use `NeMoPlatform()` with no arguments so that the client reads your active CLI context (set by `nemo auth login`). That is the right pattern for authorization workflows: you act as your logged-in identity and pass the workspace explicitly in each API call. For the standard local initialization pattern, see [CLI and SDK initialization](/documentation/get-started#setup-init). ## Creating Workspaces Workspaces are the primary authorization boundary — all resources belong to a workspace, and access is controlled at the workspace level. When you create a workspace, you automatically become its Admin. Create separate workspaces to isolate teams (`ml-research`, `nlp-team`), environments (`dev`, `staging`, `prod`), or projects. For detailed workspace management, refer to [Workspaces](/documentation/get-started/core-concepts/workspaces). ```bash nemo workspaces create ml-team # Set the workspace as your default for subsequent commands nemo config set --workspace ml-team ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() workspace = client.workspaces.create( name="ml-team", description="Machine learning team workspace" ) ``` ## Managing Workspace Members Members are users who have been granted access to a workspace. Each member has one of three roles: * **Viewer** — Read-only access to all resources * **Editor** — Can create, modify, and delete resources * **Admin** — Full control, including managing members **Role Propagation** When you add or change a member, the CLI and SDK wait for the change to propagate to the authorization engine before returning (up to 30 seconds). The member can use their new permissions immediately after the command completes. ### Add a Member Grant someone access to a workspace by adding them as a member with a specific role. The principal is typically an email address that identifies the user in your identity provider. ```bash nemo workspaces members create --principal alice@example.com --roles Editor --workspace ml-team ``` ```json { "principal": "alice@example.com", "roles": [ "Editor" ], "granted_at": "2026-01-20T10:00:00Z", "granted_by": "admin@example.com" } ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() # Add a member with Editor role client.workspaces.members.create( workspace="ml-team", principal="alice@example.com", roles=["Editor"] ) # Add a member with Viewer role (read-only) client.workspaces.members.create( workspace="ml-team", principal="bob@example.com", roles=["Viewer"] ) # Add a member with Admin role (full control) client.workspaces.members.create( workspace="ml-team", principal="charlie@example.com", roles=["Admin"] ) ``` ### List Members View all members of a workspace to audit access or verify permissions. The response includes each member's principal, roles, and when access was granted. ```bash nemo workspaces members list --workspace ml-team ``` ```json [ { "principal": "alice@example.com", "roles": [ "Editor" ], "granted_at": "2026-01-20T10:00:00Z", "granted_by": "admin@example.com" }, { "principal": "bob@example.com", "roles": [ "Viewer" ], "granted_at": "2026-01-20T10:01:00Z", "granted_by": "admin@example.com" }, { "principal": "charlie@example.com", "roles": [ "Admin" ], "granted_at": "2026-01-20T10:02:00Z", "granted_by": "admin@example.com" } ] ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() members = client.workspaces.members.list(workspace="ml-team") for member in members.data: print(f"{member.principal}: {member.roles}") ``` ### Update Member Roles Change a member role to adjust their permissions, for example, promoting a Viewer to Editor when they need to create resources. ```bash nemo workspaces members update bob@example.com --roles Editor --workspace ml-team ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() # Promote a Viewer to Editor client.workspaces.members.update( workspace="ml-team", principal_id="bob@example.com", roles=["Editor"] ) ``` ### Remove a Member Revoke a member's access by removing them from the workspace. This removes all their role bindings in the workspace — they will no longer be able to access any resources unless re-added. ```bash nemo workspaces members delete alice@example.com --workspace ml-team ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() client.workspaces.members.delete(workspace="ml-team", principal_id="alice@example.com") ``` ## Granting Access to All Users Use the wildcard principal `*` to grant a role to all authenticated users. This is useful for shared workspaces where you want broad access without adding each user individually. Common use cases: * **Shared datasets** — Grant Viewer to `*` so everyone can use common training data * **Team shared space** — Grant Editor to `*` for a workspace where anyone can experiment * **Published models** — Grant Viewer to `*` for production models that everyone should access ### Make a Workspace Readable by Everyone Grant the Viewer role to `*` so all authenticated users can view resources. ```bash nemo workspaces members create --principal "*" --roles Viewer --workspace shared-models ``` ```json { "principal": "*", "roles": [ "Viewer" ], "granted_at": "2026-01-20T10:05:00Z", "granted_by": "admin@example.com" } ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() client.workspaces.members.create(workspace="shared-models", principal="*", roles=["Viewer"]) ``` ### Make a Workspace Editable by Everyone Grant the Editor role to `*` so all authenticated users can create and modify resources. ```bash nemo workspaces members create --principal "*" --roles Editor --workspace shared-datasets ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() client.workspaces.members.create(workspace="shared-datasets", principal="*", roles=["Editor"]) ``` ### Remove Public Access Remove the wildcard binding to restrict the workspace to explicit members only. ```bash nemo workspaces members delete "*" --workspace ml-team ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() client.workspaces.members.delete(workspace="ml-team", principal_id="*") ``` **Default Workspace Access** The platform automatically grants wildcard access to built-in workspaces: * `default` workspace: All users have **Editor** access * `system` workspace: All users have **Viewer** access (read-only) This allows users to start working immediately without explicit role assignment. ## Admin Protection Every workspace must have at least one Admin to prevent orphaned workspaces. The platform enforces this rule: * You cannot remove the last Admin from a workspace * You cannot change the last Admin's role to Viewer or Editor If you need to leave a workspace where you are the only Admin, add another Admin first: ```bash # Add another admin first nemo workspaces members create --principal charlie@example.com --roles Admin --workspace ml-team # Now you can remove yourself nemo workspaces members delete alice@example.com --workspace ml-team ``` ```python from nemo_platform import NeMoPlatform client = NeMoPlatform() # Add another admin first client.workspaces.members.create( workspace="ml-team", principal="charlie@example.com", roles=["Admin"] ) # Now you can remove yourself client.workspaces.members.delete(workspace="ml-team", principal_id="alice@example.com") ``` ## Platform Admin Access The **PlatformAdmin** role (set using `admin_email` in config) has full access to all workspaces and bypasses authorization checks. PlatformAdmin is typically used for initial platform setup, creating the first workspaces and granting Admin roles to team leads. After bootstrap, day-to-day access management should use workspace-level members (above). For details on configuring the platform admin, refer to [Auth Configuration](/documentation/access-control/deployment/configuration). For the full security implications, refer to [Security Model](/documentation/access-control/security-model). ## Deleting Workspaces Admins can delete workspaces they manage. However, a workspace cannot be deleted if it contains resources (projects, datasets, models, and so on). The API returns a `409 Conflict` error listing which entity types exist: ```json { "detail": "Cannot delete workspace 'ml-team': workspace contains entities that must be deleted first: project (3), dataset (5)" } ``` Delete all resources in the workspace before deleting the workspace itself: ```bash # List and delete projects first nemo projects list --workspace ml-team nemo projects delete my-project --workspace ml-team # Then delete the workspace nemo workspaces delete ml-team ``` ```python from nemo_platform import NeMoPlatform, ConflictError client = NeMoPlatform() try: client.workspaces.delete("ml-team") except ConflictError as e: print(f"Cannot delete workspace: {e}") # Delete resources first, then retry projects = client.projects.list(workspace="ml-team") for project in projects.data: client.projects.delete(project.name, workspace="ml-team") # Now delete the workspace client.workspaces.delete("ml-team") ```