Workspaces — bRRAIn Docs

Workspace isolation, team context, and access control in bRRAIn.

Workspaces

A Workspace is a collaborative boundary within a vault that defines team context, access permissions, and organizational structure for memory objects. While vaults provide cryptographic isolation, workspaces provide logical isolation for teams working within the same encrypted boundary.

Workspace Concept

Every vault contains at least one workspace. When you create a vault, a default workspace is created automatically. Organizations typically create additional workspaces to reflect their team structure:

  • An Engineering workspace for architectural decisions and runbooks
  • A Sales workspace for competitive intelligence and deal notes
  • A Legal workspace for contract analysis and regulatory guidance
  • A Research workspace for experiment results and literature reviews

Each workspace has its own:

  • Member roster with role-based permissions
  • Memory object namespace (objects in different workspaces do not overlap in queries)
  • Configuration settings for default metadata schemas, retention policies, and notification preferences
  • Activity feed showing recent changes and member actions

Access Control

Workspaces use role-based access control (RBAC) with four built-in roles:

| Role | Permissions | |------|-------------| | Owner | Full control: manage members, configure workspace, delete workspace | | Admin | Manage members, configure settings, create and delete memory objects | | Editor | Create, update, and delete memory objects; cannot manage members | | Viewer | Read-only access to memory objects and search results |

A user can have different roles in different workspaces within the same vault. For example, an engineer might be an Editor in the Engineering workspace and a Viewer in the Sales workspace.

Custom Roles

Enterprise plans support custom roles with granular permission sets. You can define roles that allow specific operations (e.g., "can store memory objects but cannot delete them") and assign them to users or service accounts.

Workspace Isolation

Queries within a workspace return only memory objects that belong to that workspace. A search in the Engineering workspace will never surface results from the Sales workspace, even though both reside in the same vault and share the same encryption key.

This isolation extends to:

  • Search results: Semantic and keyword searches are scoped to the workspace
  • Agents: Autonomous agents operate within a single workspace context
  • Webhooks: Events are emitted per-workspace, so integrations receive only relevant notifications
  • Analytics: Usage metrics and dashboards reflect workspace-level activity

Cross-Workspace Sharing

When teams need to share specific knowledge across workspace boundaries, bRRAIn provides a controlled sharing mechanism:

  1. Shared Collections: Create a named collection and grant read access to other workspaces
  2. Memory Links: Create a reference link from one workspace to a memory object in another (requires the source workspace owner's approval)
  3. Broadcast Memories: Mark a memory object as "broadcast" to make it visible across all workspaces in the vault

Cross-workspace sharing maintains a complete audit trail. The owning workspace retains control and can revoke access at any time.

Creating a Workspace

curl -X POST https://api.brrain.io/v1/workspaces \
  -H "Authorization: Bearer brr_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Engineering",
    "vault_id": "vlt_default",
    "description": "Architecture decisions, runbooks, and technical knowledge"
  }'

Workspace Configuration

Each workspace supports the following settings:

  • Default metadata schema: Define required and optional fields for new memory objects
  • Auto-tagging rules: Automatically apply tags based on content analysis
  • Retention override: Set workspace-specific retention periods (must be within vault policy limits)
  • Notification channels: Configure Slack, email, or webhook notifications for workspace events
  • Guest access: Allow external collaborators with time-limited, read-only access

Team Context

One of bRRAIn's distinctive features is team context awareness. When a user queries the platform, the Retrieval Zone considers the user's workspace membership, role, and recent activity to personalize results. A query like "deployment process" returns different results for an engineer (who sees the CI/CD pipeline runbook) than for a sales representative (who sees the customer deployment timeline).

This contextual retrieval happens automatically without additional query parameters. Users can override it by explicitly specifying a workspace scope in their API request.

Next Steps