From 30fcf465bec0458e05075b7f5f37d59da1126549 Mon Sep 17 00:00:00 2001 From: Llewellyn vd Berg <113503285+llewellyn-sl@users.noreply.github.com> Date: Fri, 3 Apr 2026 20:11:27 +0200 Subject: [PATCH 1/2] docs: add workspace governance guidance [EDU-1118] --- platform-cloud/docs/credentials/data_repositories.md | 4 ++++ .../docs/orgs-and-teams/workspace-management.md | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/platform-cloud/docs/credentials/data_repositories.md b/platform-cloud/docs/credentials/data_repositories.md index 98d6d466f..2a58718e5 100644 --- a/platform-cloud/docs/credentials/data_repositories.md +++ b/platform-cloud/docs/credentials/data_repositories.md @@ -38,6 +38,10 @@ Azure Blob Storage are prefixed with an Azure icon and `az://` in Data Explorer. Add the contents of the **Service account key** JSON file. GCP object storage buckets are prefixed with a GCP icon and `gs://` in Data Explorer. +For enterprise onboarding, it is usually best to create a dedicated GCP service account for each workspace or team boundary that needs independent access control, then grant that service account access only to the required buckets or prefixes. Store that credential in the same Seqera workspace where the data will be browsed or launched from. + +If a workflow spans more than one cloud provider, keep the provider-specific credentials in the launching workspace and verify that the selected compute environment and work directory are configured for the cloud where the run will execute. Data Explorer can surface data repositories from different providers in the same workspace, but access to each path still depends on the credentials and network access available to that workspace. + ## S3-compatible storage This includes cloud-provider and on-premise based storage solutions with an S3-compatible API. Examples include [Cloudflare R2][cloudflare], [MinIO][minio], and [Oracle Cloud Infrastructure][oci]. diff --git a/platform-cloud/docs/orgs-and-teams/workspace-management.md b/platform-cloud/docs/orgs-and-teams/workspace-management.md index 74dd78624..49010bf62 100644 --- a/platform-cloud/docs/orgs-and-teams/workspace-management.md +++ b/platform-cloud/docs/orgs-and-teams/workspace-management.md @@ -33,6 +33,17 @@ As a workspace owner, you can modify optional workspace fields after workspace c Apart from the **Participants** tab, the _organization_ workspace is similar to the _user_ workspace. As such, the relation to [runs](../launch/launchpad), [actions](../pipeline-actions/overview), [compute environments](../compute-envs/overview), and [credentials](../credentials/overview) is the same. +## Workspace planning for larger organizations + +For larger organizations, decide your workspace boundaries before you start adding credentials, data links, and compute environments: + +- Create separate organization workspaces for teams, business units, or projects that need different cloud credentials, data-access rules, or compute defaults. +- Use [teams](./roles) as the default way to grant access, and reserve named participant assignments for exceptions. +- Use shared workspaces when you want to centralize reusable pipelines or compute environments for multiple groups, while still letting each consuming workspace keep its own participants and day-to-day operations. +- Keep workspace credentials aligned to the data and infrastructure that the workspace is expected to operate. Avoid reusing a single broad credential across unrelated groups when separate credentials or narrower scopes are available. + +This model makes it easier to onboard new groups consistently, audit who can access a given bucket or compute environment, and limit the blast radius of later credential changes. + ## Workspace settings Select the **Settings** tab within a workspace to manage credits, Studios settings, workspace labels, and edit or delete the workspace. From fc6bf32be8b54717368d605b711375c38555efd4 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Fri, 17 Apr 2026 16:33:01 +0200 Subject: [PATCH 2/2] Apply suggestion from @christopher-hakkaart Co-authored-by: Chris Hakkaart Signed-off-by: Justine Geffen --- platform-cloud/docs/orgs-and-teams/workspace-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/orgs-and-teams/workspace-management.md b/platform-cloud/docs/orgs-and-teams/workspace-management.md index 49010bf62..d2261c3ee 100644 --- a/platform-cloud/docs/orgs-and-teams/workspace-management.md +++ b/platform-cloud/docs/orgs-and-teams/workspace-management.md @@ -42,7 +42,7 @@ For larger organizations, decide your workspace boundaries before you start addi - Use shared workspaces when you want to centralize reusable pipelines or compute environments for multiple groups, while still letting each consuming workspace keep its own participants and day-to-day operations. - Keep workspace credentials aligned to the data and infrastructure that the workspace is expected to operate. Avoid reusing a single broad credential across unrelated groups when separate credentials or narrower scopes are available. -This model makes it easier to onboard new groups consistently, audit who can access a given bucket or compute environment, and limit the blast radius of later credential changes. +This model makes it easier to onboard new groups consistently, audit who can access a given bucket or compute environment, and limit the impact of later credential changes. ## Workspace settings