Workspaces

Multi-tenant workspaces provide isolated environments for teams, departments, or clients with separate data and resource quotas.

Overview

A workspace is a logically isolated environment within M3 Forge containing:

Workflows — DAG definitions and execution history
Prompts — Prompt templates and test results
Agents — Agent configurations
Knowledge bases — Indexed documents and vector embeddings
Users — Team members with role-based permissions
Settings — LLM connections, API keys, configurations

Workspaces enable:

Multi-tenancy — Serve multiple organizations from one M3 Forge deployment
Department isolation — Separate development and production environments
Client separation — Consulting firms managing workflows for different clients
Cost tracking — Usage metrics per workspace for billing or chargeback

Workspace Architecture

Data Isolation

All database tables use a workspace_id column for strict isolation. Queries automatically filter by workspace:


SELECT * FROM workflows WHERE workspace_id = :current_workspace_id;

This ensures:

No cross-workspace data leakage
Clean separation for security audits
Easy data export per workspace

Storage Isolation

Files are organized by workspace in S3-compatible storage:


s3://marie-bucket/
  workspaces/
    workspace-abc123/
      workflows/
      prompts/
      uploads/
      logs/
    workspace-def456/
      workflows/
      prompts/

Each workspace has its own prefix with isolated access controls.

Resource Quotas

Workspace administrators can set limits on:

Storage — Maximum GB of uploaded files
Workflow executions — Runs per month
LLM API calls — External API requests per month
Users — Maximum team members

When a quota is reached, operations are blocked until usage decreases or quota is increased.

Creating a Workspace

Only platform administrators can create workspaces. Regular users can only switch between workspaces they belong to.

Navigate to Platform Settings

From the main navigation, go to Platform Settings → Workspaces (only visible to platform admins).

Click Create Workspace

Select New Workspace and provide:

Name — Display name (e.g., “Engineering Team”, “ACME Corp”, “Production”)
Identifier — URL-safe slug (e.g., engineering, acme-corp, production)
Description — Brief summary of workspace purpose
Owner — User who will have Owner role in this workspace

Configure Quotas

Set initial resource limits:

Storage quota — 100 GB (default)
Execution quota — 10,000 runs/month (default)
API call quota — 1,000,000 calls/month (default)
User limit — 50 users (default)

Quotas can be adjusted later based on actual usage.

Create

Click Create Workspace. The workspace is immediately available and the specified owner receives an invitation.

Switching Workspaces

Users with access to multiple workspaces can switch between them:

Workspace Switcher

The workspace switcher appears in the top navigation bar showing the current workspace name.

Click the workspace name to see a dropdown of available workspaces. Select a different workspace to switch.

URL-Based Switching

Workspaces are accessible via URL paths:


https://m3-forge.example.com/workspaces/engineering
https://m3-forge.example.com/workspaces/acme-corp

Bookmark specific workspace URLs for quick access.

Persistence

The last-used workspace is remembered and automatically selected on next login.

Workspace Settings

Workspace owners and admins can configure workspace-specific settings.

General

Workspace name — Update display name
Description — Update summary
Icon — Upload custom workspace icon
Default timezone — For timestamp display

Resource Quotas

View current usage and adjust limits:

Resource	Usage	Quota	Actions
Storage	45.2 GB	100 GB	Increase quota
Executions	2,341 / month	10,000 / month	View usage details
API calls	156,892 / month	1,000,000 / month	Export usage report

When approaching quota limits, admins receive email warnings at 80% and 95%.

Billing

For multi-tenant SaaS deployments:

Plan — Free, Pro, Enterprise
Usage billing — Current month charges
Payment method — Credit card or invoice
Invoice history — Download past invoices

Self-hosted deployments do not include billing features.

Danger Zone

Irreversible actions requiring confirmation:

Transfer ownership — Assign owner role to different user
Archive workspace — Mark inactive (data retained but users lose access)
Delete workspace — Permanently remove all data

Deleting a workspace cannot be undone. All workflows, prompts, execution history, and uploaded files are permanently deleted.

User Management

Workspace owners manage users and permissions within their workspace.

Inviting Users

Navigate to Users

From workspace settings, go to Users.

Click Invite User

Select Invite User and provide:

Email — User’s email address
Role — Initial role (Viewer, Editor, Admin, Owner)
Message — Optional invitation message

Send Invitation

The user receives an email with a link to accept the invitation and join the workspace.

Removing Users

To remove a user from the workspace:

Find user in the user list
Click Remove
Confirm removal

The user loses access to this workspace but retains access to other workspaces they belong to.

Changing Roles

Update a user’s role:

Click user in the list
Select new role from dropdown
Changes take effect immediately

See Users and Roles for role details.

Workspace-Scoped Resources

Resources are isolated to their workspace:

Workflows

Workflows created in one workspace are invisible in other workspaces. Export/import is required to move workflows between workspaces.

Prompts

Prompt libraries are workspace-specific. Shared prompts across workspaces require manual duplication or a shared workspace.

LLM Connections

Each workspace configures its own LLM provider connections with separate API keys. This enables:

Different providers per workspace — Use Anthropic in one, OpenAI in another
Billing separation — Track API costs per workspace
Key isolation — Compromised key affects only one workspace

Knowledge Bases

Vector databases and indexed documents are workspace-scoped. Cross-workspace retrieval is not supported.

API Keys

API keys are workspace-specific and only grant access to resources in their workspace.

Multi-Workspace Workflows

Some scenarios require coordination across workspaces:

Shared Prompt Library

Create a dedicated “Shared Prompts” workspace containing reusable prompts. Users import prompts into their workspace when needed.

Development and Production

Use separate workspaces for development and production:

Development workspace — Experimentation and testing
Production workspace — Stable, reviewed workflows only

Promote changes from dev to prod via Git repositories and the Release Pipeline.

Client Isolation

Consulting firms create one workspace per client:

Client A workspace — All Client A workflows and data
Client B workspace — All Client B workflows and data

This ensures strict data separation and independent billing.

Monitoring and Usage

Workspace admins can monitor usage via the workspace dashboard.

Usage Charts

Daily executions — Workflow runs over time
Storage growth — File uploads and log accumulation
API call volume — External LLM requests
User activity — Active users per day

Top Consumers

Identify heaviest resource users:

Top workflows by executions — Which workflows run most frequently
Top workflows by cost — Which workflows consume most LLM tokens
Top users by activity — Most active team members

Alerts

Set up alerts for:

Quota thresholds — 80%, 95% usage
Unexpected spikes — 2x normal daily executions
Failed executions — Error rate above threshold

Use Cases

SaaS Multi-Tenancy

A SaaS provider serving multiple customers:


Workspace: ACME Corp
  - Workflows: Invoice processing, contract extraction
  - Users: 12 ACME employees
  - Quota: 50 GB storage, 5,000 runs/month

Workspace: Globex Inc
  - Workflows: Receipt categorization, expense analysis
  - Users: 8 Globex employees
  - Quota: 30 GB storage, 3,000 runs/month

Each customer has complete isolation and independent billing.

Enterprise Departments

A large enterprise with multiple departments:


Workspace: Finance
  - Workflows: Invoice processing, AP automation
  - Users: Finance team (25 users)
  - LLM connections: Azure OpenAI (compliance requirement)

Workspace: Legal
  - Workflows: Contract review, clause extraction
  - Users: Legal team (10 users)
  - LLM connections: Anthropic Claude (preferred for legal)

Workspace: HR
  - Workflows: Resume parsing, candidate screening
  - Users: HR team (15 users)
  - LLM connections: OpenAI (standard)

Each department operates independently with appropriate access controls.

Development Lifecycle

Separate development and production:


Workspace: Development
  - Purpose: Testing and experimentation
  - Users: All engineers
  - Data: Synthetic test data
  - LLM connections: OpenAI with lower-cost models

Workspace: Production
  - Purpose: Live customer workloads
  - Users: Authorized operators only
  - Data: Real customer documents
  - LLM connections: Azure OpenAI with enterprise SLA

Changes flow from dev to prod via the Release Pipeline.

Best Practices

Workspace Naming

Use clear, descriptive names:

Environment-based — development, staging, production
Department-based — finance-team, legal-department
Client-based — acme-corp, globex-inc

Avoid generic names like workspace-1 or test.

Quota Management

Set conservative initial quotas and increase as needed:

Start with baseline quotas
Monitor usage for 1-2 weeks
Adjust quotas based on actual consumption
Set alerts at 80% to proactively increase before hitting limits

User Access

Follow the principle of least privilege:

Default new users to Viewer role
Grant Editor role for active contributors
Reserve Admin for 2-3 trusted team members
Limit Owner to 1 person per workspace (backup owner optional)

Data Migration

When moving workflows between workspaces:

Export workflows from source workspace via Git repository
Import into destination workspace repository
Update any workspace-specific configurations (LLM connections, API endpoints)
Test thoroughly before using in production

Troubleshooting

Cannot Create Workspace

Cause: Only platform administrators can create workspaces.

Solution: Contact platform admin to create workspace or grant platform admin role.

Quota Exceeded

Cause: Workspace usage hit quota limit.

Solution: Workspace admin can increase quota in settings, or clean up unused data to reduce usage.

User Cannot Access Workspace

Cause: User not invited to workspace or invitation expired.

Solution: Workspace owner must re-invite user.

LLM Connections Not Working

Cause: LLM connections are workspace-scoped and not shared.

Solution: Configure LLM connections separately in each workspace via Settings → LLM Connections.

Next Steps

Configure user roles and permissions
Set up LLM connections per workspace
Generate API keys for workspace automation
Implement Release Pipeline for dev-to-prod promotion