- Home
Admin portal
Permissions
Loom uses two access layers: feature permissions (what a user can do in the console) and workspace / domain access (which data a user can reach). Both are enforced by a policy decision point (PDP) on every request; tenant admins always have full access.
- Feature permissions — a capability tree (Domain → Workload → Capability). Grant a capability to a user or group to delegate that action; the PDP evaluates the grant on each call.
- Workspace access — pick a workspace and manage members as Admin / Member / Contributor / Viewer. Each role is recorded in Cosmos and mirrored to a real Azure RBAC assignment on the workspace's backing resource group (Admin/Member → Contributor, Contributor/Viewer → Reader).
- Tenant admin — the user in
LOOM_TENANT_ADMIN_OIDor a member of theLOOM_TENANT_ADMIN_GROUP_IDgroup always has full access and can manage any workspace or domain — including bootstrapping the first grants before any others exist.
Manage per-workspace membership. Each role is recorded in Cosmos and mirrored to a real Azure RBAC assignment on the workspace's backing resource group — Admin/Member grant Contributor, Contributor/Viewer grant Reader. No Microsoft Fabric dependency.