> ## Documentation Index
> Fetch the complete documentation index at: https://docs.credibledata.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions

> Who can access what — environments, packages, workspaces, and documents

Permissions in Credible layer from broad to narrow: an **organization role** sets what someone can do overall, **environment and package permissions** control who can build with and consume governed data, and **workspace and document permissions** control who sees analysis work. Organization roles and groups are managed in [Users & Groups](/platform-admin/groups-permissions); this page covers the resource permissions built on top of them.

## How Access Is Granted

Adding a member to the organization does not automatically grant access to any environments or packages. To grant access:

1. **Share directly**: Navigate to the resource, click **Share** (or **Permissions**), and add the user
2. **Add to a group**: Add the user to a [group](/platform-admin/groups-permissions#manage-groups) that already has access

**Recommended approach**: Configure a few groups with the appropriate environment or package access. When a new user joins, add them to the relevant group as a second step after adding them to the organization.

## Sharing Environments & Packages

Grant users or groups access to specific environments or packages.

1. Navigate to the environment or package under **Packages & Connections** in the sidebar
2. Click **Permissions**
3. Add the user or group and select their role

Environments contain packages, so granting environment access also grants access to all packages in that environment.

### Environment Roles

| Role        | Access                                                                                                                                                                                    |
| ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Admin**   | Full environment control — manage connections, packages, and sharing                                                                                                                      |
| **Modeler** | Build and publish packages in the environment. Modelers can list and use the environment's connections, but cannot see or update connection configurations — credentials stay with admins |
| **Viewer**  | View packages and run queries via the Data API (e.g., [MCP tools](/how-to/analyzing/ai-assistants-mcp))                                                                                   |

Environment viewers automatically get viewer access to all packages in that environment.

### Package Roles

| Role        | Access                                                                                               |
| ----------- | ---------------------------------------------------------------------------------------------------- |
| **Admin**   | Full package control — manage sharing and versions                                                   |
| **Modeler** | Publish new versions of the package                                                                  |
| **Viewer**  | View and query the package via the Data API (e.g., [MCP tools](/how-to/analyzing/ai-assistants-mcp)) |

Package access can also be granted to a **workspace** — that's what adding a package to a workspace does: every workspace member can query the package through that workspace, without needing individual package permissions.

## Sharing Workspaces & Documents

Environment and package permissions govern the data; workspace and document permissions govern the **analysis work** built on top of it.

### Workspace Roles

| Role        | Access                                                                                                                   |
| ----------- | ------------------------------------------------------------------------------------------------------------------------ |
| **Manager** | Full control over workspace settings, members, and packages                                                              |
| **Viewer**  | Work in the workspace — chat with data, view reports and data apps (labeled **Member** in the workspace creation wizard) |

Users can also **request access** to a workspace they can't see into; a workspace manager approves the request from the workspace's permissions list.

### Document Sharing

Individual documents in a workspace — chats, reports, and data apps — can be shared with users or groups at two levels:

| Role       | Access                                     |
| ---------- | ------------------------------------------ |
| **Editor** | Modify the document and manage its sharing |
| **Viewer** | View the document                          |

Document permissions are inherited from the workspace, so workspace members can already see shared work; per-document sharing is for granting access beyond the workspace's membership, and supports the same request-access flow.

## Access Control

The **Access Control** page in the Credible App manages the lookup table behind [secure givens](/how-to/modeling/fine-grained-acls#row-scope-secure-givens) — the values Credible resolves server-side when a published model filters or gates on a `#(secure)` given. Each row grants a **user** (by email), a **group**, or **everyone** (a default) a list of values for an attribute. An attribute appears here automatically once a published model references it, so assigning values here is the second half of setting up fine-grained access control.

## Next Steps

<CardGroup cols={2}>
  <Card title="Access Control" icon="filter" color="#5C7A93" href="/how-to/modeling/fine-grained-acls">
    Row and field-level security using Malloy annotations
  </Card>

  <Card title="Best Practices" icon="folder-tree" color="#94793A" href="/platform-admin/environments-packages">
    Draw environment boundaries that make permissions easy to manage
  </Card>
</CardGroup>
