Workspaces in OpenSearch UI are curated environments for specific use cases like Observability, Security Analytics, and Search. Each workspace has its own privacy settings and collaborator management, giving you fine-grained control over who can see and modify content.
Workspace Permissions
Workspace types
OpenSearch UI provides five workspace types, each tailored to a different use case:
| Workspace type | Purpose | Key features |
|---|---|---|
| Observability | Monitor system health, performance, and reliability | Logs, metrics, and traces analysis |
| Security Analytics | Detect and investigate security threats | Threat detection, vulnerability analysis |
| Search | Find and explore information across data sources | Full-text search, data exploration |
| Essentials | Analyze data from OpenSearch Serverless sources | Pattern identification, trend analysis |
| Analytics (all features) | Multi-purpose workspace with all capabilities | Every feature available in OpenSearch UI |
The Essentials workspace is designed specifically for OpenSearch Serverless data sources. If you're working with managed domains, choose one of the other workspace types.
Creating a workspace
After your OpenSearch UI application is created and has at least one data source associated, you can create workspaces.
From the console
- Open the OpenSearch Service console
- Choose OpenSearch UI (Dashboards) in the left navigation
- Select your application and choose Launch application (or use the application URL directly)
- On the OpenSearch UI homepage, you'll see options to create workspaces organized by use case
- Choose the workspace type that fits your needs
- Enter a name and configure privacy settings
- Choose Create
From the application URL
Navigate directly to your application URL in a browser. The homepage lists all existing workspaces and provides options to create new ones.
Privacy settings
Every workspace has a privacy setting that controls the default access level for all users of the application. You set this when creating the workspace and can change it later from the workspace's Collaborators tab.
| Privacy setting | Who can access | What they can do |
|---|---|---|
| Private to collaborators | Only explicitly added collaborators | Depends on their collaborator permission level |
| Anyone can view | All application users | View assets, but can't make changes |
| Anyone can edit | All application users | View and edit all assets in the workspace |
Choosing the right privacy setting
- Private to collaborators — Best for sensitive workspaces (security analytics, production dashboards) where you need to control exactly who has access.
- Anyone can view — Good for shared dashboards and reports that the whole team should see but only specific people should modify.
- Anyone can edit — Useful for collaborative workspaces where the whole team actively contributes (e.g., a shared observability workspace during an incident).
Managing collaborators
On the workspace Collaborators tab, you can add IAM users, IAM roles, and IAM Identity Center users as collaborators. Each collaborator gets one of three permission levels:
| Permission level | Can view assets | Can edit assets | Can manage workspace settings | Can delete workspace |
|---|---|---|---|---|
| Read only | ✅ | ❌ | ❌ | ❌ |
| Read and write | ✅ | ✅ | ❌ | ❌ |
| Admin | ✅ | ✅ | ✅ | ✅ |
Adding collaborators
- Open your workspace in OpenSearch UI
- Navigate to the Collaborators tab
- Choose Add collaborators
- Select the collaborator type:
- IAM users or roles — enter the IAM ARN
- IAM Identity Center users — search by name or ID
- Choose the permission level (Read only, Read and write, or Admin)
- Save your changes
Permission interactions
The interaction between workspace privacy and collaborator permissions can be subtle:
| Scenario | Effective permission |
|---|---|
| Privacy = "Anyone can view", collaborator has "Read and write" | Read and write (collaborator permission wins) |
| Privacy = "Anyone can edit", collaborator has "Read only" | Read and edit (privacy setting overrides to grant edit) |
| Privacy = "Private to collaborators", user not added | No access |
The workspace privacy setting acts as a floor — it sets the minimum permission level for all users. Individual collaborator permissions can grant more access but never less than the privacy setting allows.
Workspace admin role
The user who creates a workspace is automatically assigned as a workspace admin. Workspace admins can:
- Update workspace settings (name, description, privacy)
- Add and remove collaborators
- Change collaborator permission levels
- Delete the workspace
Workspace admins are different from application admins. Application admins can manage all workspaces in the application, while workspace admins can only manage their specific workspace.
Best practices
Organize by team and use case
Create separate workspaces for different teams or use cases rather than sharing a single workspace:
prod-observability— Production monitoring (private, limited collaborators)security-investigations— Security team workspace (private)team-dashboards— Shared dashboards (anyone can view)sandbox— Experimentation workspace (anyone can edit)
Use the principle of least privilege
- Start with Private to collaborators and add people as needed
- Grant Read only by default, upgrade to Read and write only for contributors
- Reserve Admin for workspace owners and leads
Audit collaborator access regularly
Periodically review who has access to each workspace, especially for:
- Workspaces containing sensitive data (security analytics, production metrics)
- Workspaces with "Anyone can edit" privacy — consider whether this is still appropriate
- Collaborators who have left the team or changed roles
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| User can't see a workspace | Workspace is private and user isn't a collaborator | Add the user as a collaborator, or change privacy to "Anyone can view" |
| User can view but not edit | User has "Read only" permission and privacy is "Anyone can view" | Change the user's permission to "Read and write" |
| User can edit but shouldn't be able to | Workspace privacy is "Anyone can edit" | Change privacy to "Anyone can view" or "Private to collaborators" |
| Can't add IDC users as collaborators | Application doesn't have IDC enabled | IDC collaborators require IDC authentication on the application. See IDC Auth Setup |
| Workspace admin can't delete workspace | User is a workspace admin but not an application admin | Workspace admins can delete their workspace. If this isn't working, verify the user's collaborator permission level is "Admin" |
| New team member can't access any workspaces | User has application access but no workspace assignments | Either add them as a collaborator to specific workspaces, or set workspace privacy to "Anyone can view" |
Related
- Configuration — Application-level settings and admin management
- Create Your First App — Getting started guide
- AWS docs: OpenSearch UI workspaces