Virtual Workspaces

Reduce Complexity by Segregating Your Data With Virtual Workspaces.


With Virtual Workspaces you can control at the individual Fact Sheet level, which users can "read" (view/see) and "write" (edit/update) that particular Fact Sheet. There are several Use Cases for this functionality. One of the most powerful is the creation of seamless separation of a workspace into two or more "workspaces" or "views" which are tailored to specific groups/departments.

With the standard workspace you may have 2000 Fact Sheets in total, counting all Fact Sheets under all Fact Sheet types. When a user logins they see all of these Fact Sheets. Imagine being able to login as an HR/Administrative user and seeing a total of 60 Fact Sheets, throughout the entire workspace? This is what Virtual Workspaces allows an organization to accomplish. A view tailored to a detailed level. These views can be created using whichever concepts makes the most sense for your Use Cases, some examples are by Brand, Region (Americas, Asia, Europe etc), and Department.

In the example below, the decision was made to create Virtual Workspaces based around the concept of departments. Signing into LeanIX as a user assigned to "Finance", I see a tailored view of only those Business Capabilities, Applications etc that are assigned to Finance. In addition, this continues within Reporting, where I automatically (without the use of filters), see only those Fact Sheets assigned to Finance.


No filters have been applied, this is the default view of Business Capabilities of a user assigned to the ACE of Finance.


This is the default view, of the standard Application Matrix report (not a custom report). This is the default view for a user signing in with the ACE of Finance.

How does it work

With Virtual Workspaces you can control which Fact Sheet can be viewed (Read Access) and edited (Write Access).

A Virtual Workspace is represented by an Access Control Entity (ACE) which, through the Identity Provider, is assigned to the user and managed on Fact Sheets. The available ACEs can be configured in the Administration area of the workspace. In order to implement Virtual Workspaces, your organization needs to have SSO configured, and in addition your Identify Provider needs to be set to External IDP. Please see the documentation on External IDPs.

After ensuring that your Identity Provider is set up as External IDP. The next steps are to create the Access Control List (groups), and then assign them to Fact Sheets.

Creating an Access Control List

In order to get started, you need to decide what concept to use in order to create your Virtual Workspaces. Do you need to group users by Region or Department? Once that decision is made, access the Administration area and select Access Control.

Continuing on with the same example, you can see below, that several other Access Controls have been created in addition to "Finance". The Access Control List is where you define each group, that you will be utilizing to assign access to. Again you can chose whichever concept makes the most sense for your Use Case, instead of Departments, you can use Regions, or Brands.

Assigning Access Control to Fact Sheets

In order to divide a workspace into Virtual Workspaces, you will need to assign "read" (who can view this Fact Sheet), and write (who can edit this Fact Sheet) access to each Fact Sheet. This can be done relatively easily utilizing the Import/Export. Simply follow the normal process you use in order to Export/Import and select the "Read Access", and "Write Access" from table view.

In addition, just like with any other attribute (field), you can also assign read and write access to each Fact Sheet individually. Only Administrators have access to the subsection below. In addition, other users are not even able to see this subsection.

You can assign as many Access Control Lists as you need to, you are not limited to associating just one Access Control List per Fact Sheet.

Now, this Fact Sheet is only viewable to users assigned to the "Finance" Access Control List, in addition they are the only users who can edit this Fact Sheet.


If you leave the Read access blank for a Fact Sheet that means that ALL users can view that Fact Sheet. Similarly, if you leave write access blank, that means that ALL users can edit that Fact Sheet.

If you have defined an Access Control List like Finance under Read Access, and Write access was blank. That would mean that Finance users would be able to Read and Write this Fact Sheet.

SSO Configuration

As previously explained, Virtual Workspaces require that your SSO be set-up as External IDP. The main difference between this option and the other option (there are only two), is that with this option, you send the "role" to assign to each user, from your system (meaning you do not manage the Role within LeanIX).

With the addition of Virtual Workspaces, your SSO will need to be updated. A new attribute with the name of EntryACI needs to be created. The value for that attribute, for each user needs to be defined within your SSO system. For example following the user who is assigned to "Finance". This means that the EntryACI for this user would be populated with "finance", while the role is populated with MEMBER.

Take note that the EntryACI in this case is in "lower case letters", this is because in the Access Control List (Administration>Access Control) )within LeanIX. The ID is defined as "finance", while the display Name is defined as "Finance".

Your SSO will continue to send us the "role" attribute. This does Not need to be changed. The role attribute is where you define, which of the 3 standard roles, each user is assigned. The three standard roles are MEMBER, VIEWER, and ADMIN.

The standard authorization model, works hand and hand with Virtual Workspaces. The authorization model (in general) works at the Fact Sheet TYPE level, to allow you to define read, write, update, delete access and more at an attribute level (examples of attributes are description, functional fit) on each Fact Sheet TYPE (examples of Fact Sheet TYPES are Application and ITComponent). Although the standard authorization model is very flexible, it is not possible to control read and write access to individual Fact Sheets. This is where Virtual Workspaces comes in.


The IDs defined in the Access Control List within LeanIX (Administration>Access Control), which are then assigned to Fact Sheets. Must match what your SSO system is sending as the value within the "attribute" of EntryACI.

Upkeep of Access Control

It's exciting that maintenance should be relatively minor in nature. In the configuration you can choose for each Fact Sheet type if new Fact Sheets are created unrestricted or if the users ACL is inherited to the read and write restriction of this new Fact Sheet. For example: When a user assigned to Finance creates a new Fact Sheet, that Fact Sheet will automatically have Read and Write access set to "Finance".

Use Cases

Segregate your Virtual Workspace by Legal Entities. Allow users to only see Fact Sheets that belong to their Legal Entity.

Segregate your Virtual Workspace by Teams. Allow users to only edit Fact Sheets belonging to their team.

Hide highly sensitive Fact Sheets from unauthorized users. In acquisition and merger scenarios for example, tag Fact Sheets according to affected Legal Entities.

Scenario 1: Unrestricted

This means that all new Fact Sheets of the type will be visible and editable for every user of the workspace, i.e. both Read Access and Write Access are black.

As a result all users can collaborate on all Fact Sheets of that type. Also, you only can create a relation if you have "Write Access" to both Fact Sheets.

Scenario 2: Write Restricted

All new Fact Sheets of the type will be visible for every user of the workspace, i.e., "Read Access" is being kept empty. The "Write Access" field will be assigned with the values that a user creating the Fact Sheet has: E.g. if a user has the ACE "Marketing", then the "Write Access" field will hold the value "Marketing" and therefore only be editable by other users having the ACE "Marketing".

As a result all users can view all Fact Sheets of that type but only edit "their" Fact Sheets.

Scenario 3: Read & Write Restricted

All new Fact Sheets of the type will only be visible and editable for users of the respective virtual workspace. The fields "Read Access" and "Write Access" field will be assigned with the values that a user creating the Fact Sheet has: E.g. if a user has the ACE "Marketing", then both "Read Access" and "Write Access" field will hold the value "Marketing" and therefore only be viewable and editable by other users having the ACE "Marketing".

As a result only users of the respective Virtual Workspace can view and edit Fact Sheets of that type for their Virtual Workspace.


Smart Tip

Watch the recording of our Virtual Workspaces Webinar in the LeanIX Academy, for a complete overview and a very comprehensive demo.