Introduction to User, Group & Workspace Management#
Workiva’s Admin APIs enable programmatic management of users, groups, and workspaces within your organization. This guide walks you through common scenarios including managing workspace memberships, creating and managing groups, assigning roles, and setting resource-level permissions.
Before getting started, make sure you have credentials set up.
This guide covers the following scenarios:
Key Concepts#
Concept |
Description |
|---|---|
Organization |
The top-level container for all workspaces and users. Identified by a UUID ( |
Workspace |
A container within an organization that holds files, documents, and spreadsheets. Users are granted access via workspace memberships. |
Workspace Membership |
The record linking a user to a workspace. The membership has its own |
Workspace Role |
A named role (e.g. “Workspace Owner”) that can be assigned to a membership to control workspace-level capabilities. |
Group |
A named collection of users within a workspace. A group can be used as a principal when assigning resource-level permissions. |
Permission |
A resource-level access level (e.g. “Editor”, “Viewer”, “Owner”) applied to a specific document, spreadsheet, or file. Permissions are not set at the workspace level — they are set on individual resources. |
Principal |
The entity (user or group) to whom a permission is granted on a resource. To assign a permission to a group, use the group’s |
Best Practices: Group-Based Permission Management#
Why Use Groups for Permission Management?#
Managing permissions through groups is significantly more efficient and scalable than assigning permissions individually to each user. While Workiva allows you to assign permissions directly to individual users on each resource (documents, spreadsheets, files), this approach becomes increasingly difficult to maintain as your workspace grows.
Key Benefits of Group-Based Permissions#
Benefit |
Group-Based Approach |
Individual Permission Approach |
|---|---|---|
Scalability |
Add/remove a user from a group once; they automatically gain/lose permissions on all resources shared with that group |
Must manually update permissions on every resource for each user change |
Maintainability |
Change a group’s permission level once to update access for all members across all resources |
Must individually update each user’s permission on each resource |
Audit & Compliance |
Clear group names (e.g., “Finance Reviewers”) make it easy to understand who has access and why |
Individual permissions require checking each user on each resource |
Onboarding/Offboarding |
Add new employee to relevant groups; they immediately inherit all appropriate permissions |
Must manually grant permissions on every resource the user needs |
Error Reduction |
Centralized group management reduces risk of missing a resource when granting/revoking access |
Easy to accidentally forget to update a resource when managing permissions individually |
When to Use Groups vs. Individual Permissions#
Use Groups When:
Multiple users need the same level of access to multiple resources
You have functional teams or roles (e.g., “Finance Team”, “Audit Reviewers”, “External Auditors”)
You need to manage permissions across many documents/spreadsheets
You anticipate frequent user onboarding/offboarding
You need clear audit trails showing why users have access
Use Individual Permissions When:
A single user needs unique, one-off access to a specific resource
The access requirement is temporary or exceptional
You have a very small workspace with minimal resources (though even then, groups often make sense for future scalability)
Common Use Cases for Groups#
Example 1: Finance Department Structure
Finance Team (Group)
├── Q1 2026 Financial Report (Editor)
├── Budget Workbook (Editor)
├── Variance Analysis (Viewer)
└── Monthly Close Checklist (Owner)
Senior Finance Leadership (Group)
├── Q1 2026 Financial Report (Owner)
├── Board Presentation (Owner)
└── Strategic Planning Doc (Editor)
External Auditors (Group)
├── Q1 2026 Financial Report (Viewer)
└── Supporting Schedules (Viewer)
When a new finance analyst joins, you simply add them to the “Finance Team” group. They immediately gain Editor access to the quarterly report and budget workbook, Viewer access to variance analysis, and Owner access to the monthly checklist—without needing to manually assign permissions on each resource.
Example 2: Project-Based Access
Project Alpha Team (Group)
├── Project Plan (Editor)
├── Requirements Doc (Editor)
├── Design Specs (Editor)
└── Status Reports (Owner)
When the project ends, remove all team members from the “Project Alpha Team” group in one operation, instantly revoking their access to all project resources.
Example 3: External Collaboration
External Consultants Q1 (Group)
├── Shared Workbook (Viewer)
├── Draft Report (Viewer)
└── Meeting Notes (None)
Create a time-bound group for external parties, making it easy to grant limited access and revoke it entirely when the engagement ends.
Recommended Workflow#
Create groups based on functional roles or teams (e.g., “Finance Team”, “Legal Reviewers”, “Board Members”)
Add users to the appropriate groups based on their role
Assign group permissions on resources rather than individual user permissions
Manage access by updating group memberships, not by changing individual resource permissions
This approach ensures that:
Access control is centralized and predictable
New resources can be quickly shared with the right teams
User lifecycle events (hiring, role changes, terminations) are handled consistently
Compliance audits are simplified (permissions are tied to clear business roles)
Performance Considerations#
Managing permissions through groups also reduces API calls and improves automation performance:
Adding a user to 1 group that has permissions on 50 resources = 1 API call
Adding individual permissions for 1 user on 50 resources = 50 API calls
For bulk operations, the efficiency gain is even more pronounced. Adding 10 users to a group with access to 100 resources requires just 10 API calls (one per user added to the group), versus 1,000 API calls if managing individual permissions.
Adding Users to a Workspace#
Users are added to a workspace by creating a workspace membership. There are two endpoints available depending on whether you need to control notification behavior.
Option 1 — Standard Membership Creation#
Use the create workspace membership endpoint.
Required scope: organization:write
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"user": {
"id": "V1ZVd2VyFzU3NiQ1NDA4NjIzNzk2MjD"
},
"workspace": {
"id": "QWNjb3VudB81NjM5NDQ1NjA0NzI4ODMy"
}
}'
Option 2 — Membership Creation with Notification Options#
Use the membership creation with options endpoint when you need to control whether a welcome email or notification is sent to the new member.
Required scope: organization:write
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships/membershipCreation" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"user": "V1ZVd2VyFzU3NiQ1NDA4NjIzNzk2MjD",
"options": {
"notifyNewMember": false,
"sendWelcomeEmail": true
}
}'
{
"id": "TWVtYmVyc2hpcB81NzY1OTM4MzY0Mjg0OTI4",
"user": {
"displayName": "Jane Smith",
"id": "V1ZVd2VyFzU3NiQ1NDA4NjIzNzk2MjD"
},
"workspace": {
"id": "QWNjb3VudB81NjM5NDQ1NjA0NzI4ODMy",
"name": "Q1 Financial Reporting"
},
"created": { "dateTime": "2026-01-15T10:05:00Z" },
"modified": { "dateTime": "2026-01-15T10:05:00Z" }
}
Save the returned id as your MEMBERSHIP_ID to manage this user’s membership.
Removing Users from a Workspace#
Use the delete workspace membership endpoint to remove a user from a workspace. This requires the user’s workspaceMembershipId. If you don’t have it, look it up first (see Managing Users’ Workspace Memberships).
Required scope: organization:write
curl -X DELETE "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships/${MEMBERSHIP_ID}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
A successful deletion returns 204 No Content with no response body.
Managing Users’ Workspace Memberships#
List All Memberships in a Workspace#
Use the list workspace memberships endpoint to retrieve all memberships.
Required scope: organization:read
curl -X GET "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
The response uses pagination. Use $next and $maxpagesize query parameters to paginate through large result sets, and filter by user properties using $filter.
Available filter fields: user.id, user.email, user.displayName, user.username, user.status, id, created, modified
curl -G "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01" \
--data-urlencode '$filter=user.email eq "jane.smith@example.com"'
{
"data": [
{
"id": "TWVtYmVyc2hpcB81NzY1OTM4MzY0Mjg0OTI4",
"user": {
"displayName": "Jane Smith",
"id": "V1ZVd2VyFzU3NiQ1NDA4NjIzNzk2MjD"
},
"workspace": {
"id": "QWNjb3VudB81NjM5NDQ1NjA0NzI4ODMy",
"name": "Q1 Financial Reporting"
}
}
]
}
Retrieve a Single Membership#
Use the get workspace membership endpoint to retrieve details for a specific membership.
Required scope: organization:read
curl -X GET "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships/${MEMBERSHIP_ID}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
View Available Workspace Roles#
Before assigning roles to a member, use the list workspace roles endpoint to retrieve the available roles.
Required scope: organization:read
curl -X GET "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/roles" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
{
"data": [
{ "id": "5b9e47c8-78ab-4ef8-847f-036e2f7dc986", "name": "Workspace Owner" },
{ "id": "e6bd2af1-d3b8-41fb-87d3-55323eea5e18", "name": "XBRL Manager" }
]
}
Assign Workspace Roles to a Member#
Use the assign workspace roles endpoint to assign roles to a membership. Pass an array of role IDs. If any single assignment fails, all assignments in the request fail.
Required scope: organization:write
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships/${MEMBERSHIP_ID}/roles/assignment" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '["5b9e47c8-78ab-4ef8-847f-036e2f7dc986", "e6bd2af1-d3b8-41fb-87d3-55323eea5e18"]'
This is an asynchronous operation. A 202 Accepted response is returned with a Location header. Poll that URL to confirm completion. For more information, see Introduction to Operations.
curl -X GET "https://api.app.wdesk.com/operations/{operationId}" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
Revoke Workspace Roles from a Member#
Use the revoke workspace roles endpoint to revoke roles from a membership. Pass an array of role IDs. If any revocation fails, all revocations fail.
Required scope: organization:write
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/memberships/${MEMBERSHIP_ID}/roles/revocation" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '["e6bd2af1-d3b8-41fb-87d3-55323eea5e18"]'
Returns 202 Accepted with a Location header to poll for the result. For more information, see Introduction to Operations.
Creating Groups#
Groups are collections of users within a workspace. Once created, a group can be used as a principal on any resource permission — giving all group members that permission simultaneously.
Use the create workspace group endpoint to create a new group.
Required scope: organization:write
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"name": "Finance Reviewers"
}'
{
"id": "V0ZHcm91cB5XRkdyb3VwOkFMTF9VU6VSUsbxMkE1NZUyNDg8",
"name": "Finance Reviewers",
"memberCount": 0,
"created": {
"dateTime": "2026-01-15T10:10:00Z",
"user": { "id": "V0ZVc2VyHzExNzE7MTMzOTB" }
},
"modified": { "dateTime": "2026-01-15T10:10:00Z" }
}
Save the group id as GROUP_ID for subsequent requests.
List Groups in a Workspace#
Use the list workspace groups endpoint to retrieve groups. You can filter by group name or check which groups a user belongs to.
Required scope: organization:read
curl -X GET "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
curl -G "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01" \
--data-urlencode '$filter=name eq "Finance Reviewers"'
curl -G "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01" \
--data-urlencode '$filter=members contains "V0ZVc2VyHzExNzE7MTMzOTB"'
List Members of a Group#
Use the list group members endpoint to retrieve the members of a group.
Required scope: organization:read
curl -X GET "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
{
"data": [
{ "id": "V0ZVc2VyHzExNzE8MTMvOTB" },
{ "id": "V0ZVc2VyHzExNzE6MTMxNTE" }
]
}
Adding Users to a Group#
The modify group members endpoint handles both adding and removing members in a single request. User IDs are passed in toAdd and toRemove arrays.
Required scope: organization:write
Add a Single User to a Group#
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toAdd": [
"V0ZVc2VyHzExNzE7MTMzOTB"
]
}'
A successful response returns 204 No Content.
Add Multiple Users to a Group (Bulk)#
Include multiple user IDs in the toAdd array in a single request:
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toAdd": [
"V0ZVc2VyHzExNzE7MTMzOTB",
"V0ZVc2VyHzExNzE4MTM0NDA",
"V0ZVc2VyHzExNzE1MTM1NTE",
"V0ZVc2VyHzExNzE2MTM2NjI"
]
}'
When failures are encountered for particular members, error responses are returned for each failed member individually.
Removing Users from a Group#
Use the same modify group members endpoint, placing user IDs in the toRemove array.
Required scope: organization:write
Remove a Single User from a Group#
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toRemove": [
"V0ZVc2VyHzExSDkzMzM1NDC"
]
}'
Remove Multiple Users from a Group (Bulk)#
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toRemove": [
"V0ZVc2VyHzExSDkzMzM1NDC",
"V0ZVc2VyHzExNzE4MTM0NDA",
"V0ZVc2VyHzExNzE1MTM1NTE"
]
}'
Add and Remove Members in One Request#
The modification endpoint supports combining toAdd and toRemove in a single call, which is useful for replacing a group’s membership in one atomic operation:
curl -X POST "https://api.app.wdesk.com/organizations/${ORG_ID}/workspaces/${WORKSPACE_ID}/groups/${GROUP_ID}/members/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toAdd": [
"V0ZVc2VyHzExODjzNzM3NDA"
],
"toRemove": [
"V0ZVc2VyHzExSDkzMzM1NDC"
]
}'
Assigning Permissions to a Group on a Resource#
Note
Permissions in Workiva are set at the resource level — on a specific document, spreadsheet, or file — not at the workspace level. A Group can be used as the principal in a permission assignment, which grants that permission level to all members of the group on that resource.
Step 1 — Look Up Available Permission Types#
Use the list permissions endpoint to retrieve the available permission types.
Required scope: file:read
curl -X GET "https://api.app.wdesk.com/permissions" \
-H "Authorization: Bearer ${TOKEN}" \
-H "X-Version: 2026-01-01"
{
"data": [
{ "id": "598e8fa3-3e7c-4fb7-b662-f44522216e2b", "name": "Owner" },
{ "id": "85aa87ee-beb9-4417-8fa0-420e9de63534", "name": "Editor" },
{ "id": "228d55c7-10d0-4ac3-85a3-1ac30ae97ac1", "name": "Viewer" },
{ "id": "23692e42-0e0d-463d-b1fb-f28096b7bc96", "name": "None" }
]
}
Step 2 — Assign a Permission to a Group on a Document#
Use the document permissions modification endpoint. Use the group’s id as the principal value. The principalType of the principal is inferred from the ID format — group IDs are automatically recognized as group principals.
Required scope: file:write
curl -X POST "https://api.app.wdesk.com/documents/${DOCUMENT_ID}/permissions/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toAssign": [
{
"permission": "85aa87ee-beb9-4417-8fa0-420e9de63534",
"principal": "V0ZHcm91cB5XRkdyb3VwOkFMTF9VU6VSUsbxMkE1NZUyNDg8"
}
]
}'
A successful response returns 204 No Content, meaning all members of the “Finance Reviewers” group now have Editor access to the document.
Step 3 — Assign a Permission to a Group on a Spreadsheet#
Use the spreadsheet permissions modification endpoint. The same pattern applies for spreadsheets:
Required scope: file:write
curl -X POST "https://api.app.wdesk.com/spreadsheets/${SPREADSHEET_ID}/permissions/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toAssign": [
{
"permission": "228d55c7-10d0-4ac3-85a3-1ac30ae97ac1",
"principal": "V0ZHcm91cB5XRkdyb3VwOkFMTF9VU6VSUsbxMkE1NZUyNDg8"
}
]
}'
Step 4 — Update an Existing Permission for a Group#
To change a group’s permission level on a resource, you must revoke the existing permission and assign the new one. This can be done in a single request using the document permissions modification endpoint:
curl -X POST "https://api.app.wdesk.com/documents/${DOCUMENT_ID}/permissions/modification" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-H "X-Version: 2026-01-01" \
-d '{
"toRevoke": [
{
"permission": "85aa87ee-beb9-4417-8fa0-420e9de63534",
"principal": "V0ZHcm91cB5XRkdyb3VwOkFMTF9VU6VSUsbxMkE1NZUyNDg8"
}
],
"toAssign": [
{
"permission": "228d55c7-10d0-4ac3-85a3-1ac30ae97ac1",
"principal": "V0ZHcm91cB5XRkdyb3VwOkFMTF9VU6VSUsbxMkE1NZUyNDg8"
}
]
}'
This atomically downgrades the group’s access from Editor to Viewer. If any modification in the request fails, all modifications fail.
Assigning Permissions on Other Resource Types#
The same permissions modification pattern is available for other resource types:
Resource |
Endpoint |
Reference |
|---|---|---|
Document |
|
|
Spreadsheet |
|
|
File |
|
Summary of Admin API Endpoints#
Operation |
Method |
Endpoint |
Required Scope |
|---|---|---|---|
Create workspace |
|
|
|
List workspaces |
|
|
|
Add user to workspace |
|
|
|
Add user with options |
|
|
|
List workspace memberships |
|
|
|
Get single membership |
|
|
|
Remove user from workspace |
|
|
|
List workspace roles |
|
|
|
Assign workspace roles |
|
|
|
Revoke workspace roles |
|
|
|
Create group |
|
|
|
List groups |
|
|
|
List group members |
|
|
|
Add/remove group members |
|
|
|
List permissions |
|
|
|
Modify document permissions |
|
|
|
Modify spreadsheet permissions |
|
|
|
Modify file permissions |
|
|
|