Workspace and Access
Synced from repo docs
This page is synced from docs/guides/workspace-and-access.md via docs/public-docs.json. Edit the owning repo source instead of this generated copy. GitHub source: https://github.com/byteor-systems/byteor-cloud/blob/master/docs/guides/workspace-and-access.md
Workspace access in ByteOr Cloud starts with the tenancy tree: organization, project, and environment.
Scope boundaries
Organization
Organization scope owns:
- members and roles
- auth posture
- signing keys
- organization API keys
- project creation and high-level workspace policy
Project
Project scope owns:
- environments
- drafts and versions
- config bundles
- deployment history for that product or team area
Environment
Environment scope owns:
- enrolled agents
- approval posture
- artifacts and replay activity
- the actual runtime boundary where a deployment may execute
Operator model
- org admins can manage the whole workspace tree
- project admins can manage one project's environments and deployment activity
- operators work inside the environments they are granted
- viewers can inspect state without taking governed actions
Access rule
An agent enrolled into one environment does not float across sibling environments. Governance, rollout, and replay rules resolve where the environment boundary says they resolve.