> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://help.moveworks.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://help.moveworks.com/_mcp/server.

# Access Control FAQs

Common questions about developer access control in Agent Studio. For the two access-control layers, start with the [Access Control overview](/agent-studio/access-control).

## General Model

A **folder** holds assets and defines their default access. Public, Personal, and custom folders are folders. A **view** filters assets you already have access to. It does not grant access on its own. Connectors, Shared with me, and Installation drafts are views.

No. Every asset has exactly one home folder. Cross-team sharing happens through additive item-level grants or by placing the asset in a more permissive folder. See [Folders](/agent-studio/access-control/folders#sharing-across-teams).

Because `Edit` and `Use` answer different questions. A developer might need `Edit` on a Workday action to update its logic, but should not execute it without separate `Use` on the underlying connector. `Use` can fire real API calls with real credentials.

No. Item-level grants are **additive only**. They broaden access beyond folder defaults but never restrict below them. To restrict an asset, change its folder's default or move it to a more restrictive folder.

Pickers and search can show assets across the workspace. If you do not have the needed permission, the action is blocked and the UI shows a "contact owner" prompt.

Nothing should break. Existing assets, including connectors, migrate to the Public folder, which preserves today's open access. Drafts in flight move to your Personal folder. After that, admins move sensitive assets into restricted folders as needed. No asset is locked down automatically at migration.

## Roles

Two things: **delete** the asset and **change its access and sharing**. Both permission axes cascade up to Manager, but only Manager covers governance actions on the asset itself.

Their assets aren't orphaned. Admins have Manager-level control on every published asset in the workspace, so every published asset stays governable as long as the workspace has at least one admin.

Not yet. Access is granted to individuals or org-wide through the Public folder. Group-based access is planned for a future release.

Two ways: the creator is automatically a Manager on what they create, and admins have Manager-level control on every published asset regardless of folder.

## Folders

Admins only. Developers don't see the option to add a folder.

They move to Public, because every Agent Studio user already has visibility there, so no downstream dependency breaks. A confirmation shows the asset count before the delete commits, and the assets pick up Public's default access.

No. Both are system folders. Public exists once per workspace; Personal is auto-created for each user on first access.

No. The sidebar shows only folders where you have a role on the folder or an item-level grant on an asset inside it. Public and Personal are always visible.

Three patterns are available: put it in a shared folder, grant specific cross-team users on the single asset, or use group-based folder access when it becomes available. See [Folders](/agent-studio/access-control/folders#sharing-across-teams).

No. Folders are flat in this release, with no nesting.

## Connectors

You can't move it there yourself. Public placement of connectors is admin-only. Ask an admin to make the move. They can find the connector in the Connectors view. See [Connectors and Access](/agent-studio/access-control/connectors-and-access#getting-a-connector-into-public).

A connector holds credentials to a backend system, so running anything that uses it fires real calls against that system. Starting connectors closed keeps sensitive credentials behind an explicit decision rather than an inherited default.

No. Execution requires `Use` on the entire dependency chain: the plugin, every action it calls, and every connector those actions use. If any connector in the chain is restricted, you can't run the plugin until you're granted `Use` on it. See [dependency-aware execution](/agent-studio/access-control/connectors-and-access#dependency-aware-execution).

## Drafts and Creation

Drafts live in the My Drafts view. When you publish, you pick a destination folder from the ones where you have `Edit`, including your Personal folder and the Public folder. Connectors are the exception. You can't publish a connector to Public.

Yes. Agent Studio admins can see your drafts. Once you publish into a non-Personal folder, normal access control applies.

## Related

The two access-control layers.

The other layer: which employees can use a published plugin.