Tenant-wide settings, capacity, governance, audit, and usage for everyone in your organization.

Permissions

Loom uses two access layers: feature permissions (what a user can do in the console) and workspace / domain access (which data a user can reach). Both are enforced by a policy decision point (PDP) on every request; tenant admins always have full access.
  • Feature permissions — a capability tree (Domain → Workload → Capability). Grant a capability to a user or group to delegate that action; the PDP evaluates the grant on each call.
  • Workspace access — pick a workspace and manage members as Admin / Member / Contributor / Viewer. Each role is recorded in Cosmos and mirrored to a real Azure RBAC assignment on the workspace's backing resource group (Admin/Member → Contributor, Contributor/Viewer → Reader).
  • Tenant admin — the user in LOOM_TENANT_ADMIN_OID or a member of the LOOM_TENANT_ADMIN_GROUP_ID group always has full access and can manage any workspace or domain — including bootstrapping the first grants before any others exist.
Manage per-workspace membership. Each role is recorded in Cosmos and mirrored to a real Azure RBAC assignment on the workspace's backing resource group — Admin/Member grant Contributor, Contributor/Viewer grant Reader. No Microsoft Fabric dependency.