Workspaces are the primary way to organize your OpenSearch UI experience. Each workspace provides a scoped environment with its own set of data sources, saved objects, and navigation tailored to a specific use case like observability, security, or search.
Multi-Source Observability
Workspace types
OpenSearch UI offers five workspace types, each with a curated set of features:
| Workspace Type | Target Audience | Key Features |
|---|---|---|
| Observability | SREs, DevOps engineers | Logs, Traces, Metrics, Services, Application Map, Alerting, Anomaly Detection, Forecasting |
| Security Analytics | Security analysts, SOC teams | Threat alerts, Findings, Correlations, Detection rules, Threat intelligence feeds |
| Search | Search engineers | Search relevance tuning, AI Search Flows, query benchmarking |
| Essentials | Business analysts, stakeholders | Discover, Dashboards, Visualizations with a streamlined navigation |
| Analytics | Power users, data engineers | All features from every workspace type combined into a single view |
Choose the workspace type that matches your team's primary use case. You can always create additional workspaces later.
Creating a workspace
Via the OpenSearch UI
- Launch your OpenSearch UI application
- On the home page, click + Create workspace
- Enter a name and optional description
- Select the use case (Observability, Security Analytics, Search, Essentials, or Analytics)
- Choose which data sources this workspace should have access to
- Configure collaborators (optional)
- Click Create workspace
Workspace settings
When creating a workspace, you configure:
- Name - A descriptive name visible to all collaborators (e.g., "Production Observability", "Security - SOC Team")
- Description - Optional context about the workspace's purpose
- Use case - Determines which navigation items and features are available
- Color - A visual identifier to distinguish workspaces in the sidebar
- Data sources - Which associated data sources are accessible within this workspace
Associating data sources to a workspace
Each workspace can access a subset of the data sources associated with your application. This lets you scope what data each team sees.
- Open the workspace
- Navigate to Workspace settings (gear icon)
- Under Data sources, select the domains and collections this workspace should access
- Click Save
For example, your Observability workspace might only see the logs-domain and apm-domain, while the Security Analytics workspace sees security-lake and siem-domain.
Data source isolation
Workspaces provide logical isolation. Saved objects (dashboards, index patterns, visualizations) created in one workspace are not visible in another. This prevents clutter and ensures teams only see relevant content.
| Scope | Behavior |
|---|---|
| Index patterns | Created per workspace, scoped to workspace data sources |
| Dashboards | Visible only within the workspace where they were created |
| Saved searches | Scoped to the workspace |
| Alerting monitors | Shared across the domain (not workspace-scoped) |
Alerting monitors and anomaly detectors are domain-level features. They are accessible from any workspace that has the domain as a data source.
Workspace privacy and access
Workspaces support two access levels:
- Private - Only the workspace creator and explicitly added collaborators can access it
- Public - All application users can view the workspace (but may have read-only access)
Managing collaborators
- Open the workspace
- Go to Workspace settings then Collaborators
- Click Add collaborators
- Enter the IAM principal ARN or SAML user/group
- Assign a permission level:
- Read only - Can view dashboards and run queries, but cannot create or modify saved objects
- Read and write - Can create and edit dashboards, visualizations, and index patterns
- Admin - Full control over workspace settings, data sources, and collaborators
Example collaborator ARNs:
| Type | ARN Example |
|---|---|
| IAM user | arn:aws:iam::123456789012:user/analyst |
| IAM role | arn:aws:iam::123456789012:role/DevOpsTeam |
| SAML group | saml-group/security-team |
Organizing workspaces for teams
A common pattern for medium-to-large organizations:
| Application | Workspace | Data Sources | Collaborators | Use Case |
|---|---|---|---|---|
| Production Monitoring | SRE - Observability | logs-domain, apm-domain | SRE team (read/write) | Observability |
| Production Monitoring | Security - SOC | siem-domain, security-lake | Security team (read/write) | Security Analytics |
| Production Monitoring | Executive Dashboards | logs-domain, apm-domain | Leadership (read only) | Essentials |
| Production Monitoring | Data Engineering | all domains | Data team (admin) | Analytics |
Switching between workspaces
The workspace switcher is always available in the top-left corner of the OpenSearch UI. Click the workspace name to see all workspaces you have access to and switch between them.
Each workspace maintains its own:
- Navigation sidebar (based on use case type)
- Recently viewed items
- Default index pattern
- Date range settings
Deleting a workspace
- Navigate to Workspace settings
- Scroll to the bottom and click Delete workspace
- Confirm the deletion
Deleting a workspace permanently removes all saved objects within it (dashboards, visualizations, index patterns, saved searches). This action cannot be undone. The underlying data on the domains is not affected.
Best practices
- One workspace per team - Keeps saved objects organized and reduces clutter
- Use descriptive names - Include the team name and purpose (e.g., "Platform - Observability")
- Limit data source scope - Only associate the data sources each team actually needs
- Use read-only access for stakeholders - Prevents accidental modifications to production dashboards
- Create an Analytics workspace for power users - Gives full feature access when needed
Troubleshooting
"No data sources available" when creating a workspace
- Ensure data sources are associated at the application level first
- Check that the data sources are in Active state
- Verify your IAM permissions include es:GetApplication
Collaborator cannot see the workspace
- Confirm the collaborator's IAM ARN or SAML identity is added correctly
- Check that the workspace is not set to Private without the collaborator being listed
- For SAML users, verify the SAML assertion includes the correct group attribute
Saved objects from one workspace appearing in another
- This should not happen since saved objects are workspace-scoped
- If you see shared objects, they may have been imported into both workspaces separately
- Check if the user is in the correct workspace using the workspace switcher
Workspace shows "No index patterns" after creation
- You need to create index patterns within the workspace
- Navigate to Dashboards Management then Index Patterns then Create index pattern
- Select the data source and enter the index pattern (e.g., logs-*)