[Docs index](/docs.md) / [Workspace Permissions](/docs/workspace-permissions/overview.md) / Managing Resource Permissions

---

# Managing Resource Permissions

The Resources tab lets you see every resource in your workspace and control who has access to each one. This is where you grant a team access to a sandcastle, restrict a tool to specific users, or audit who can edit a subagent.

## Before you begin

- You need to be a workspace admin or the resource's owner to manage its permissions.

## Viewing resources

Go to **Workspace > Permissions** and select the **Resources** tab. Resources are listed by type: subagents, sandcastles, tools, projects, connections, knowledge bases, chats, and MCP bundles.

Each resource row shows:

- The resource name and type.
- The current permission grants — who has access and at what level.

## Granting access

1. Find the resource on the Resources tab.
2. Click **Grant Access**.
3. Choose whether to grant to a **user** or a **group**.
4. Select the user or group.
5. Choose the permission level: View, Execute, Edit, or Admin.
6. Save.

The grant takes effect immediately. The user (or every member of the group) can access the resource at the granted level.

## Revoking access

1. Find the resource.
2. Find the specific grant you want to remove.
3. Click the revoke icon.

Revoking a grant removes that specific path of access. If the user also has access through another path (a different group, or direct ownership), they keep that access. To fully remove someone's access, you may need to revoke both a direct grant and a group grant.

## Common patterns

**Share a sandcastle with the whole team.** Grant the team's group Execute access. Everyone can use the app. Only the owner (and workspace admins) can edit it.

**Restrict a write tool.** If you have a tool that creates records in the ERP, grant it only to the users or groups that should have write access. Other subagents that try to use the tool will not be able to call it if it is not in their whitelist and their user does not have access.

**Give a contractor view-only access.** Create a "Contractors" group. Grant it View on the resources the contractor needs to see. When the engagement ends, delete the group.

**Audit a resource.** Click on a resource to see every grant — direct and group. The effective permissions show who actually has access and at what level, accounting for group membership and the permission hierarchy.

## Bulk operations

There is no bulk grant or revoke in the current UI. If you need to grant the same access to many resources at once, the most efficient path is:

1. Create a group with the right members.
2. Grant the group access to each resource one at a time.

Once the group exists, granting access to a new resource is a single action.

## Related guides

- [Managing users](./managing-users.md)
- [Managing groups](./managing-groups.md)
- [Using the permissions simulator](./using-the-permissions-simulator.md)
- [Troubleshooting](./troubleshooting.md)

---

## Navigation

### In this section: Workspace Permissions

- [Workspace Permissions](/docs/workspace-permissions/overview.md)
- [Troubleshooting](/docs/workspace-permissions/troubleshooting.md)
- [Managing Groups](/docs/workspace-permissions/managing-groups.md)
- **Managing Resource Permissions** (current)
- [Managing Users](/docs/workspace-permissions/managing-users.md)
- [Setting Up SSO](/docs/workspace-permissions/setting-up-sso.md)
- [Using the Permissions Simulator](/docs/workspace-permissions/using-the-permissions-simulator.md)

### Other sections

- [MCP Servers](/docs/mcp-servers/overview.md)
- [Tool Creation](/docs/tool-creation/overview.md)
- [Agent Filesystem](/docs/agent-filesystem/overview.md)
- [Chat Sharing](/docs/chat-sharing/overview.md)
- [Scheduled Triggers](/docs/scheduled-triggers/overview.md)
- [Agent Skills](/docs/agent-skills/overview.md)
- [Sandcastles](/docs/sandcastles/overview.md)
- [Subagents](/docs/subagents/overview.md)

[Back to docs index](/docs.md)