Master this essential documentation concept
The practice of dividing a documentation platform into isolated environments so different teams or user groups can only access the files and content relevant to their role.
The practice of dividing a documentation platform into isolated environments so different teams or user groups can only access the files and content relevant to their role.
When onboarding new team members or restructuring access permissions, documentation teams often rely on recorded walkthroughs to explain how workspace segmentation is configured. A platform admin might record a screen-share showing which folders belong to which team, how role-based access is applied, and what happens when a user tries to reach restricted content. It makes sense in the moment — but it creates a real problem over time.
Video recordings of segmentation setups are notoriously hard to reference when someone needs a quick answer. If a technical writer joins mid-project and needs to understand why they can only see certain workspaces, scrubbing through a 45-minute onboarding recording to find the relevant two minutes is inefficient and frustrating. Access rules change, teams reorganize, and the video becomes outdated without any clear indication of what's still accurate.
Converting those recordings into structured documentation changes how your team works with workspace segmentation day-to-day. Instead of rewatching setup walkthroughs, team members can search directly for terms like "restricted folders" or "role permissions" and land on the exact policy that applies to them. You can also version those docs as your segmentation rules evolve, keeping a clear audit trail of who had access to what and when.
If your team captures access and permission workflows on video, learn how to turn those recordings into searchable, maintainable documentation →
A SaaS company uses the same documentation platform for full-time engineers and contracted QA testers. Contractors can browse to internal product roadmap pages and unreleased feature specs, creating IP leakage risk and potential NDA violations.
Workspace Segmentation isolates the Product Roadmap and Strategy workspace so only full-time employees with a verified corporate email domain can access it. Contractors are provisioned into a separate QA Procedures workspace containing only test plans, bug report templates, and environment setup guides.
['Audit all existing documentation and tag pages by sensitivity level: Public, Internal, Confidential, and Restricted.', "Create two distinct workspaces in the documentation platform — 'FTE Product Workspace' and 'Contractor QA Workspace' — with separate permission groups tied to SSO attributes.", 'Migrate roadmap, strategy, and unreleased feature docs into the FTE workspace and restrict the Contractor workspace to QA-specific content only.', 'Configure SSO rules so contractor accounts (identified by non-corporate email domains) are automatically assigned to the Contractor QA Workspace upon login.']
Zero contractor access to roadmap documents confirmed via access logs; onboarding time for new contractors reduced by 40% because they see only relevant QA content without navigating irrelevant internal pages.
A hospital system stores both general HR policies and HIPAA-regulated clinical protocols in one documentation platform. Billing staff, janitors, and clinical nurses all land in the same document library, creating compliance audit failures because non-clinical staff can technically view protected health information (PHI) handling procedures.
Workspace Segmentation creates a dedicated Clinical Protocols workspace with strict role-based access limited to licensed clinical staff (nurses, physicians, pharmacists), while all other staff access a General Operations workspace containing HR policies, facilities guides, and administrative procedures.
['Map all job roles in the HR system to documentation access tiers: Clinical (RN, MD, PharmD) and Non-Clinical (Admin, Facilities, Billing).', "Provision two workspaces — 'Clinical Protocols & PHI Procedures' and 'General Staff Operations' — with the clinical workspace requiring an additional MFA step for access.", "Integrate the documentation platform with the hospital's Active Directory so role changes (e.g., a nurse moving to administration) automatically revoke clinical workspace access within 24 hours.", 'Run quarterly access reviews where compliance officers export workspace membership logs and cross-reference them against current HR role assignments.']
HIPAA compliance audit passed with zero findings related to unauthorized document access; clinical workspace access list reduced from 800 users to 210 verified clinical staff.
A managed services provider (MSP) manages IT infrastructure for 12 different enterprise clients. All client-specific runbooks, network diagrams, and incident response procedures live in one shared documentation platform. Client A's engineers can accidentally (or intentionally) view Client B's proprietary network topology and security configurations.
Workspace Segmentation creates a dedicated, isolated workspace for each client, branded with their logo and terminology. Each workspace contains only that client's infrastructure docs, and client engineers are provisioned exclusively into their own workspace with no cross-workspace navigation possible.
["Create one workspace per client (e.g., 'Acme Corp IT Runbooks', 'Globex Network Docs') with custom subdomain URLs and client-specific branding.", "Provision client users via client-specific SSO integrations so Acme Corp employees authenticate through Acme's identity provider and land only in the Acme workspace.", 'Migrate all existing client documentation from the shared library into the respective isolated workspaces, removing any cross-client linked pages.', "Set up workspace-level audit logging so the MSP's account managers can demonstrate to each client that no other client has accessed their workspace."]
All 12 clients passed their own internal security reviews of the MSP's documentation practices; MSP won two new enterprise contracts specifically citing the isolated workspace model as a trust differentiator.
A fintech company undergoes SOC 2 Type II audits annually. Auditors need access to security policies, access control procedures, and incident response plans, but the company's documentation platform also contains proprietary trading algorithm documentation and source code references that must never be shared externally.
Workspace Segmentation creates a time-limited 'SOC 2 Audit Workspace' containing only the compliance and security policy documents auditors need, with read-only permissions. Engineering and product workspaces remain completely invisible and inaccessible to auditor accounts.
["Create a dedicated 'External Audit — SOC 2' workspace and populate it only with the 23 policy documents and procedure guides required by the auditor's evidence request list.", 'Provision auditor accounts with guest-level, read-only access scoped exclusively to the audit workspace, with an automatic account expiration date set to 30 days after audit completion.', 'Enable workspace-level activity logging so the compliance team can produce a full audit trail showing exactly which documents auditors viewed and when.', 'After audit completion, archive the audit workspace and revoke all auditor accounts in a single bulk action without affecting any other workspace.']
SOC 2 audit completed with all evidence delivered through the segmented workspace; zero incidents of auditors accessing non-compliance documentation; audit evidence delivery time reduced from 2 weeks of manual email sharing to 1 day of workspace provisioning.
Define workspace boundaries based on actual job functions and data sensitivity levels before touching the documentation platform. Without a role-to-workspace mapping document, teams end up creating overlapping workspaces (e.g., both 'DevOps' and 'Infrastructure' workspaces for the same team) that create confusion and permission gaps. Aligning workspaces to org chart roles ensures that onboarding a new employee automatically places them in the correct workspace via their HR-assigned role.
Manually assigning users to workspaces creates access drift — former employees retain access, new hires wait days for access, and role changes are never reflected in the documentation platform. Using SCIM (System for Cross-domain Identity Management) to sync your identity provider (Okta, Azure AD, Google Workspace) with your documentation platform ensures workspace membership is always a real-time reflection of current employment and role status. This eliminates the need for documentation admins to manually manage workspace membership.
Some roles legitimately need access to multiple workspaces — a DevOps engineer may need both the Engineering workspace and the Security workspace. However, granting broad cross-workspace access 'just in case' defeats the purpose of segmentation. Least privilege means granting cross-workspace access only when a specific, documented business need exists, and only at the minimum permission level required (usually read-only for secondary workspaces).
Workspace segmentation is not a set-and-forget configuration. As teams reorganize, projects end, and roles evolve, workspace memberships become stale — people retain access to workspaces they no longer need. Quarterly access reviews, where workspace owners export their membership list and validate each user's continued need for access, prevent privilege accumulation and maintain the integrity of the segmentation model. This is also a key control for SOC 2, ISO 27001, and HIPAA compliance frameworks.
New employees need access to general company information (culture docs, benefits guides, IT setup instructions) before their role-specific workspace is fully provisioned. Mixing onboarding content into role-specific workspaces clutters them with irrelevant content for existing employees, while creating a dedicated Onboarding workspace gives new hires immediate day-one access to exactly what they need without exposing them to sensitive role-specific content prematurely. Access to the Onboarding workspace can be automatically revoked after 90 days.
Join thousands of teams creating outstanding documentation
Start Free Trial