# Workspaces and Access Controls ## Assigning Roles The WarpStream web console supports role-based access control. When a user signs up for a new WarpStream account, they are assigned a default role called `Admin`. This grants them read and write access to any resource in the account. A second `Read-only` role is created on signup, which grants read access only and which by default isn't assigned to any users. A user with unlimited read and write access can invite others to their WarpStream account by clicking the "Invite Teammate" button on the Team page. The invitation form includes a dropdown to select which role the teammate should be assigned to when they accept the invitation. A user with unlimited read and write access can also edit existing teammates' roles from the Team page. They can also configure new roles and edit existing roles by clicking the "Manage User Roles" button. ## Roles and Workspaces A role specifies the level of access users have in each workspace. A workspace is a logical grouping of resources such as virtual clusters, application keys, and schema registries. "Unlimited read and write access" means read and write access across all workspaces. Users can switch between workspaces via the dropdown menu on the top left of the console. Only the workspaces that their assigned roles grant access to appear in this menu. Users with unlimited read and write access can manage workspaces by clicking on the dropdown menu's `Manage` link. They can also manage account keys from the same page. See [Secrets Overview](https://docs.warpstream.com/warpstream/secrets-overview#account-keys) for more on account keys. A workspace can only be deleted after its virtual clusters and schema registries have all been deleted. Currently, a role grants either `admin` or `read_only` access to each workspace. A third `billing` grant type exists, which doesn't apply to any particular workspace. It would be typical for a WarpStream account to contain one workspace called `staging` and another called `production`. A role called `production_admin` might grant `admin` access to the `production` workspace. Another role called `staging_admin` might grant `admin` access to the `staging` workspace and `read_only` access to the `production` workspace. Users assigned to `staging_admin` would be able to create and delete resources in the `staging` workspace, but would only view existing resources in the `production` workspace. A user assigned to both roles would have `admin` access in both workspaces because grants are cumulative. Finally, users who need to access billing-related tools must be assigned a role with either the `admin` or the `billing` grant type, with the latter being the most restrictive. Accounts may have up to 10 workspaces by default. Contact us if you require more. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.warpstream.com/warpstream/reference/manage-console-access/workspaces-and-access-controls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.