Sharing and access control
On the Istari Digital Platform, sharing, roles, optional infosec levels, and control tags work together so teams can collaborate while limiting who can view or change files and systems. Sharing and roles decide who is included and what they can do; infosec levels and control tags add further checks so access can stay within classification and need-to-know policy, not just the share list.
Why does it matter?
- Least privilege: You can grant only the access someone needs (view vs. edit vs. manage permissions) instead of sharing everything broadly.
- Defense in depth: Infosec levels and control tags add constraints on top of sharing, so sensitive work stays visible only to people who meet both role and policy requirements.
- Auditability: Access is explicit—who has which role and which tags is reflected in the product and APIs, which supports reviews and compliance workflows.
Sharing and roles
You share files and systems with people in your organization by assigning a role per person. In the sharing dialogs, you choose among Viewer (read-only), Editor (can edit and share within limits), Administrator (can manage roles up to a point), and Owner (full control including archive). Who can assign which role depends on your own role; for example, editors cannot promote others to Administrator.
See Understanding roles in the user guide for the role matrix and assignment rules.
Infosec levels
When your organization enables information security (infosec) levels, resources carry a classification that caps who can open or change them based on each user’s clearance. Levels appear in the UI (banners, badges, file details) and interact with system and platform maximums.
See Information Security (Infosec) Levels in the user guide. Administrators configure policy in Infosec levels; IT administrators enable the feature in Enabling experimental infosec levels.
Control Tag
What is it?
A control tag is a label attached to resources (and paired with tags on users) so that access is limited to people who satisfy the tag rules. In the UI, control tags appear as colored chips on files, artifacts, and systems. They help classify and organize work and enforce need-to-know on top of normal sharing.
Why does it matter?
Control tags add a policy layer: even if someone is invited to a file or system, they must still meet tag requirements (for example, program or clearance) before they can use the resource.
Key details
- Restriction, not grant: Control tags only narrow who can access a resource; they do not replace sharing or grant access by themselves.
- All tags required: If a resource has multiple control tags, a user must have all of those tags (and still have been shared in). See Terminology.
- Where they apply: Tags can be set on models, artifacts, and systems; users receive tag assignments so the platform can evaluate a match.
- With roles: Tags work together with roles (Viewer, Editor, Administrator, Owner)—you need both appropriate sharing and tag alignment where tags are used.
How it connects to other concepts
- Permissions and sharing: Set in the file or system sharing flows; see Share a system for assigning roles on a system (snapshot collaboration uses the same role model).
- Control plane: Access metadata (who has access, which tags apply) is enforced by the platform services that back the UI and APIs.
Example
Your organization defines a “ITAR” control tag. A model is shared with your team and tagged ITAR; only users who have the ITAR tag assigned to their profile can open it, in addition to normal role checks.
Learn more
- Control tags — view, assign, and manage tags in the user interface.
How to manage access and tags
User guide (UI):
- Sharing and access control — hub for sharing files, control tags, and infosec levels.
- Share a file — step-by-step sharing and roles on files.
- Systems and snapshots — systems, configurations, and snapshots (see also Share a system).
Python client (SDK):
- SDK setup — install and configure the Istari Digital Python client.
- Client reference — sharing and permissions (
create_access,update_access,remove_access,list_access, and related methods on the Istari Digital Python client). - Control tag APIs — define tags and assign them to users, models, and artifacts (see the methods table in the client reference).