Every Kodori user belongs to exactly one workspace (we call it a tenant internally). All documents, collections, holds, retention classes, audit events, and API keys are scoped to that workspace — nothing leaks across tenants.
Roles, lowest to highest privilege:
- viewer — can read documents they're explicitly granted on - contributor — viewer + can upload, organize, and version documents - auditor — viewer + can read everything in the tenant for audit purposes (read-only escalation) - admin — contributor + can manage members, holds, retention, and API keys - owner — admin + tenant-level configuration
The first signed-in user is the owner. Owners and admins promote / demote others on /members. Invites mailed from /members put the recipient straight into the right role on first sign-in.