How to Create a Locked-Down Deployment with Restricted Access

Overview

If you need to deploy an application with restricted access for regulatory, security, or privacy purposes, you can use workspace-level isolation to ensure only authorized users can access the deployment and its resources.

Solution: Workspace-Scoped Access Control

Deployments in LangSmith are workspace-scoped, meaning access is automatically restricted to workspace members. By creating a dedicated workspace and limiting membership, you can ensure your deployment remains secure and isolated.

Step-by-Step Guide

1. Create a New Workspace

Create a dedicated workspace within your organization specifically for the restricted deployment:

• Navigate to your organization settings

• Create a new workspace with a descriptive name

• This workspace will serve as the isolated environment for your deployment

2. Invite Only Authorized Users

Restrict workspace access by only inviting users who need access to the deployment:

• Add only the specific individuals who require access

• Do not add additional members unless necessary

• Each workspace member will automatically have access to all deployments within that workspace

3. Deploy Your Application

Deploy your application to the newly created restricted workspace:

• Deploy your fork or application to the dedicated workspace

• The deployment and all its resources (including sensitive documents) will be automatically scoped to workspace members only

• No users outside the workspace can see or access the deployment

4. Configure Role-Based Access Control (Enterprise)

For Enterprise plans, you can further refine permissions within the workspace using RBAC:

• Viewer: Read-only access to deployments

• Editor: Can modify and manage deployments

• Admin: Full control over workspace settings and members

This allows you to grant different permission levels even within the restricted workspace.

Access Control Behavior

Once configured:

• Only workspace members can see the deployment

• Only workspace members can access deployment resources

• Only workspace members can interact with the deployed application

• Users outside the workspace cannot discover or access the deployment

• Organization-level visibility does not extend to workspace-scoped deployments

Use Cases

This approach is ideal for:

• Regulatory Compliance: Deployments that handle regulated data requiring limited access

• Sensitive Documents: Applications processing confidential or proprietary information

• Internal Tools: Restricted-access tools for specific teams or projects

• Client Projects: Isolated deployments for specific clients with confidentiality requirements

• Testing Environments: Secure testing with sensitive production data

Additional Resources

• Setting up workspaces

• Role-based access control (RBAC)

• Deployments overview

Best Practices

1. Principle of Least Privilege: Only add users who absolutely need access

2. Regular Audits: Periodically review workspace membership to ensure it remains current

3. Use RBAC: Assign the minimum permission level required for each user's role

4. Document Access: Maintain a record of who has access and why for compliance purposes

5. Separate Workspaces: Don't reuse restricted workspaces for other projects to maintain isolation

Summary

To create a locked-down deployment:

1. Create a dedicated workspace in your organization

2. Invite only authorized users to that workspace

3. Deploy your application to the restricted workspace

4. Optionally configure RBAC for fine-grained permissions

This workspace-scoped approach provides automatic access control without requiring additional configuration, making it the recommended method for deployments requiring restricted access.