Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions astro.config.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,44 @@ export default defineConfig({
},
],
},
{
label: "Workspace Access Center",
collapsed: true,
items: [
{
label: "Overview",
link: "/workspace-access-center/overview/",
},
{
label: "People",
link: "/workspace-access-center/people/",
},
{
label: "Resources",
link: "/workspace-access-center/resources/",
},
{
label: "My Access",
link: "/workspace-access-center/my-access/",
},
{
label: "Audit",
link: "/workspace-access-center/audit/",
},
{
label: "Guest Settings",
link: "/workspace-access-center/guest-settings/",
},
{
label: "Legacy routes",
link: "/workspace-access-center/legacy-routes/",
},
{
label: "Preview features",
link: "/workspace-access-center/preview-features/",
},
],
},
],
}),
],
Expand Down
Binary file added src/assets/screenshots/huly/wac/audit.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/assets/screenshots/huly/wac/my-access.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/assets/screenshots/huly/wac/people-all.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/assets/screenshots/huly/wac/person-drawer.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added src/assets/screenshots/huly/wac/resources-all.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
54 changes: 54 additions & 0 deletions src/content/docs/workspace-access-center/audit.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: Audit
description: Review the chronological log of access-related actions in a workspace, filter by action and actor, and export to CSV.
---

import { Image } from "astro:assets";
import wacAudit from "../../../assets/screenshots/huly/wac/audit.png";

The **Audit** tab is the workspace's access-change ledger. Every state-changing edit made from the People and Resources tabs — and a number of related actions raised by other parts of Huly, such as space archive / unarchive triggered by an automation — is written here with the actor's UUID, a canonical action name, the affected entity, and a timestamp.

<Image src={wacAudit} alt="Audit tab with action dropdown, date range pickers, and table" inferSize quality="max" />

Retention is shown as a banner above the WAC tab strip:

> Workspace audit retention is 365 days. Edits from the People / Resources panels below are logged with the actor's UUID.

The retention default is 365 days. Self-hosted operators can change it via the `AUDIT_RETENTION_DAYS` environment variable on the workspace service (see [Configuration](/admin-panel/configuration) for the equivalent setting on the instance audit log; the workspace audit follows the same variable).

## Filters

Three filters sit above the table:

- **Action** — a dropdown of canonical action names (`role_changed`, `member_added`, `member_removed`, `space_archived`, `space_unarchived`, `space_privacy_changed`, `grant_issued`, `grant_revoked`, `ownership_transferred`, …). Default is `Any action`.
- **From** — start date. `No date` leaves the lower bound open.
- **To** — end date. `No date` leaves the upper bound open.
- **Clear** — resets all three filters.

A fourth filter on the **Actor** column allows substring search on actor display name or UUID.

## Columns

- **Timestamp** — ISO-8601 timestamp with timezone (UTC by default).
- **Actor** — the user who performed the action, or `system` for actions raised by automations and prune jobs.
- **Action** — canonical action name.
- **Entity** — the affected entity (member name, space name, grant ID, …).
- **Detail** — short human-readable description of what changed.

The table is sorted by timestamp descending. Click the timestamp header to invert.

## CSV Export (Owner-only)

The **Export CSV** button in the top-right is visible to Owners only. Clicking it opens a confirmation dialog:

> Exporting the audit log creates a file containing user UUIDs, action names, and timestamps. This data is subject to your organisation's data-handling policy. Continue?

The dialog is intentional — the export carries personally identifiable references (UUIDs and display names) and may fall under your organisation's data-protection rules. Acknowledge the dialog to download a UTF-8 CSV with a header row.

The export respects the active filters. To export only `role_changed` events in the last 30 days, set the filters first and then click **Export CSV**.

## Retention behaviour

A daily prune job removes audit rows older than `AUDIT_RETENTION_DAYS`. On instances where the prune job has not run yet — for example a fresh install — older rows may still be visible. The prune job is idempotent and skips rows that are already gone.

Setting `AUDIT_RETENTION_DAYS=0` disables the prune entirely. Use this if you forward audit rows to an external SIEM and want the database to be the source of truth indefinitely.
70 changes: 70 additions & 0 deletions src/content/docs/workspace-access-center/guest-settings.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: Guest Settings
description: Owner-only per-application permission editor for the Guest and Anonymous guest workspace roles.
---

import { Image } from "astro:assets";
import wacGuest from "../../../assets/screenshots/huly/wac/guest-settings.png";

The **Guest Settings** tab is the per-application permission editor for the workspace's two guest roles:

- **Guest** — a signed-in user who has been invited as a guest of this workspace.
- **Anonymous guest** — an unauthenticated visitor following a public link or a guest-link.

The tab is visible to Owners only. Maintainers and Users do not see it in the tab strip.

<Image src={wacGuest} alt="Guest Settings tab with Guest and Anonymous guest tabs and per-application permission editors" inferSize quality="max" />

## Role selector

Two top-level tabs at the top of the panel select which guest role you are editing:

- **Guest** — settings for signed-in guests.
- **Anonymous guest** — settings for unauthenticated visitors.

Both roles share the same set of applications below; the per-application permissions are independent.

## Application permissions

A guidance line above the application list explains the model:

> Choose which applications guests can use, then adjust permissions for each application below.

Each application has its own card with two parts:

- **Enabled toggle** — whether guests of this role have any access to the application at all. Toggling off hides the application's UI for guests of this role.
- **Permissions** — per-application capability flags such as `Allow creating issues` (Tracker) or `Allow creating cards` (Cards). Capabilities that the application does not yet expose to guests are greyed out with a `coming soon` label.

Below the capability flags every application card has an **Auto-join spaces** picker:

> When enabled, workspace guests are added to this space on activation.

Pick the spaces a guest of this role should be added to when they activate their invite. Multiple spaces can be selected. The picker is per-application, so a Guest can be auto-joined to a Tracker project and a Documents teamspace independently.

Currently the following application cards are present:

- **Tracker** — issue creation, assignee picker.
- **Cards** — card creation.
- **Chat** — auto-join to chat spaces only (no creation rights today).
- **Documents** — read / comment / edit.
- **Office** — auto-join only (rooms and devices are managed inside Office).
- **Planner** — auto-join only.
- **Drive** — auto-join only.
- **Test Management (beta)** — auto-join only.

The card set is driven by the installed Huly applications. If your instance has additional applications enabled, additional cards appear.

## Global toggles

Two top-level toggles sit outside the per-application list:

- **allowReadOnlyGuests** — whether the workspace exposes the `Read-only Guest` role at all. Turning this off hides the role in the People-tab role picker and rejects new Read-only guest invites server-side.
- **allowGuestSignUp** — whether the public sign-up endpoint for this workspace accepts guest registrations. Turning this off keeps the guest application set but stops new guests from joining without an explicit invite.

## Guest communication settings

A dedicated section at the bottom controls fine-grained per-card permissions for the **chat** application:

- **allowedCards** — a multi-select of card classes that guests are allowed to comment on. Default is empty (no comment rights). Add classes to opt them in.

Every change in Guest Settings is written to the workspace audit log under the `guest_settings_changed` action.
48 changes: 48 additions & 0 deletions src/content/docs/workspace-access-center/legacy-routes.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
title: Legacy routes and Settings IA
description: How the Workspace Access Center consolidates the legacy Workspace Members, Guests, and Global Space Admins entries, and which deep-links still work.
---

import { Image } from "astro:assets";
import wacSettingsSidebar from "../../../assets/screenshots/huly/wac/settings-sidebar.png";

Before the Workspace Access Center, four separate entries under workspace **Settings** covered access concerns:

- `Workspace Members` — list and edit workspace members.
- `Guests` — manage guest invitations and per-application guest permissions.
- `Global Space Admins` — assign workspace-wide space admin rights.
- `Admin panel` — the instance-wide administrative UI.

WAC consolidates the first three under a single **Access Center** entry. The fourth is renamed for disambiguation.

<Image src={wacSettingsSidebar} alt="Workspace settings sidebar with the new Access Center entry replacing legacy items" inferSize quality="max" />

## Sidebar changes

In the workspace settings sidebar:

- **Workspace Members** — hidden. Use [Access Center → People](/workspace-access-center/people).
- **Guests** — hidden. Use [Access Center → Guest Settings](/workspace-access-center/guest-settings).
- **Global Space Admins** — hidden. Equivalent functionality lives under [Access Center → Resources](/workspace-access-center/resources) via the per-space Transfer ownership and member-role pickers.
- **Admin panel** — renamed to **Global Admin Panel** to distinguish it from the per-workspace Access Center.

## Deep-links still work

The legacy URLs are kept alive. Existing bookmarks, links in third-party documentation, and external workflow tooling continue to resolve to a working page:

| Legacy path | Behaviour today |
|---|---|
| `/setting/owners` | Loads the legacy Workspace Members page. A banner suggests opening **Access Center → People** instead. |
| `/setting/guestPermissions` | Loads the legacy Guest Permissions page. A banner suggests opening **Access Center → Guest Settings** instead. |
| `/setting/allSpaces` | Loads the legacy All Spaces page. A banner suggests opening **Access Center → Resources** instead. |

There is no scheduled date to retire the legacy pages. The banners are advisory only.

## Why the rename

`Admin panel` previously referred to two different things depending on context:

- the workspace-internal admin tools (members, guests, space admins);
- the instance-wide admin UI documented under [Global Admin Panel](/admin-panel/overview).

The Access Center consolidation is the right opportunity to disambiguate: workspace-internal access lives under **Access Center**, instance-wide access lives under **Global Admin Panel**. The terms are kept distinct everywhere in the workbench and in this documentation.
62 changes: 62 additions & 0 deletions src/content/docs/workspace-access-center/my-access.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: My Access
description: See your own workspace role, the spaces you are in, the spaces you own, and the per-resource grants involving you.
---

import { Image } from "astro:assets";
import wacMyAccess from "../../../assets/screenshots/huly/wac/my-access.png";

The **My Access** tab is the self-service view of WAC. Every workspace member — including Guests and Read-only Guests — can open this tab to see their own role, the spaces they belong to, the spaces they own, and the per-resource grants involving them.

<Image src={wacMyAccess} alt="My Access tab showing workspace role with My role sub-tab" inferSize quality="max" />

## Sub-tabs

- **My role** — your current workspace role, shown as a large badge. A help line explains that role changes are made by a workspace Owner from the People tab.
- **Spaces I'm in** — every space you are a direct member of, with your role per space and an `Open ↗` link.
- **Spaces I own** — every space whose Owner is you. Useful when you want to step through "what would happen to this space if I left the workspace?"
- **Granted to me** — per-resource grants given to you (mention-grants, document-grants, link-grants). Each grant carries scope (read / comment / edit) and an expiry if one was set.
- **Granted by me** — per-resource grants you have given to other members. Useful to review and revoke grants you issued earlier.

## My workspace role

The header of the **My role** sub-tab shows your current role as a coloured badge:

- `OWNER` — full control of the workspace.
- `MAINTAINER` — broad administrative rights, no ability to transfer ownership.
- `USER` — standard editor role.
- `GUEST` — limited editor role, scoped to spaces a Guest has been added to.
- `READ-ONLY GUEST` — read access only.
- `DOCUMENT GUEST` — read access scoped to a specific document.

Below the badge:

> Role changes are managed by a workspace Owner from the People view.

If you need a different role, ask any Owner of the workspace.

## Spaces I'm in / Spaces I own

Both lists show the same columns:

- **Type** — emoji + class label.
- **Name** — space name with an `Open ↗` link to the space root.
- **My role** (Spaces I'm in) or **Members** (Spaces I own) — context-specific.
- **Last activity** — when you last touched the space.

Both tables are sortable.

## Granted to me / Granted by me

These two sub-tabs list per-resource grants — the fine-grained access primitives that sit below the workspace role. They are typically created when a member shares a document, mentions someone in a private space, or generates a link-grant from the share menu.

Each row shows:

- **Resource** — the document, card, or other entity the grant is attached to.
- **Scope** — `read`, `comment`, or `edit`.
- **Granted by** (or **Granted to**) — the actor on the other side of the grant.
- **Expires** — expiry timestamp, or `—` for non-expiring grants.

### Self-service Leave and Decline (preview)

A **Leave** action on **Spaces I'm in** and a **Decline** action on **Granted to me** are part of the preview-features set and are hidden unless the workspace has `WAC_PREVIEW_FEATURES` enabled. See [Preview features](/workspace-access-center/preview-features). When the flag is off, the only way to leave a space today is to ask an Owner to remove you from the People tab.
57 changes: 57 additions & 0 deletions src/content/docs/workspace-access-center/overview.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
title: Workspace Access Center
description: Single-pane view for managing per-workspace people, resources, access grants, and audit history.
---

import { Image } from "astro:assets";
import wacPeopleAll from "../../../assets/screenshots/huly/wac/people-all.png";
import wacSettingsSidebar from "../../../assets/screenshots/huly/wac/settings-sidebar.png";

The **Workspace Access Center** (WAC) is the per-workspace home for everything related to who can do what inside a single Huly workspace. It collects the People list, the Spaces list, your own access view, the audit trail, and the Guest application permissions in one place under workspace **Settings → Access Center**.

WAC replaces the legacy `Workspace Members`, `Guests`, and `Global Space Admins` entries in the workspace settings sidebar. The deep-link URLs for those legacy pages still work (see [Legacy routes](/workspace-access-center/legacy-routes)) so existing bookmarks and links continue to resolve.

<Image src={wacPeopleAll} alt="Workspace Access Center, People tab showing the All sub-tab with members and their roles" inferSize quality="max" />

## Who can use it

Every workspace member can open the Access Center, but what they see depends on their workspace role:

- **Owner** — full access to all five tabs and every sub-tab. Owners can change roles, transfer ownership, archive spaces, edit Guest application permissions, and export the audit log.
- **Maintainer** — full access to People, Resources, My Access, and Audit. Cannot edit Guest Settings and cannot export audit CSV.
- **User** — read-only People and Resources, full My Access, and a limited (workspace-scoped) Audit view.
- **Guest / Read-only Guest / Document Guest** — only the My Access tab is shown. Guests see their own role, the spaces they are in, and the access grants they have received.

The tab list adapts automatically — guests do not see tabs they cannot use.

## How to open it

From any workspace, click your workspace name in the top-left, choose **Settings**, then **Access Center** in the workspace settings sidebar.

<Image src={wacSettingsSidebar} alt="Settings sidebar with Access Center entry under WORKSPACE SETTINGS" inferSize quality="max" />

The direct URL is:

```
/workbench/<workspace-url>/setting/setting/accessCenter
```

## The five tabs

WAC has five top-level tabs. Each tab is documented on its own page:

- **[People](/workspace-access-center/people)** — list members, change roles, manage invites, surface inactive accounts.
- **[Resources](/workspace-access-center/resources)** — list spaces (Projects, Funnels, Teamspaces, Drives, Cards) with privacy, auto-join, and archive state. Walk the workspace hierarchy.
- **[My Access](/workspace-access-center/my-access)** — see your own role, the spaces you are in, the spaces you own, and the per-resource grants given to or by you.
- **[Audit](/workspace-access-center/audit)** — review the chronological log of access-related actions in this workspace, with filters and CSV export.
- **[Guest Settings](/workspace-access-center/guest-settings)** — Owner-only. Per-application permission editor for the `Guest` and `Anonymous guest` workspace roles.

A sixth **Presets** tab is shown when the preview-features flag is on; see [Preview features](/workspace-access-center/preview-features) for details.

## What it is not

WAC is **not** the instance-wide [Global Admin Panel](/admin-panel/overview). The Global Admin Panel covers account-level concerns across all workspaces of a self-hosted Huly instance (`ADMIN_EMAILS` allowlist, force-disable accounts, mass-archive workspaces, instance audit log). WAC is scoped to a single workspace and runs for every workspace member that has permission to use it — not just instance admins.

## Audit logging

Every state-changing edit made through the People and Resources tabs is written to the workspace audit log with the actor's UUID, the action name, the affected entity, and a timestamp. The retention period (default 365 days) is shown as a banner above the tab strip. See [Audit](/workspace-access-center/audit) for the full list of actions and the CSV-export procedure.
Loading