Canvasm Docs
Reference

Security & access

Roles, groups, access tags, node visibility, sharing, and redaction — and how they combine.

Access in Canvasm has two layers: roles (what you can do) and visibility (which cards you can see). Both are enforced on the server for every request, including shares and API/agent calls.

Workspace isolation

All data — canvases, metrics, connected accounts, keys — is scoped to a workspace. Requests can only reach the workspace they're authenticated for; there is no cross-workspace access. API keys and agent connections inherit exactly this scope.

Roles

RoleCapability
ViewerRead permitted canvases and dashboards
CommenterViewer + leave comments
EditorBuild and change canvases, metrics, dashboards
AdminEditor + manage members, groups, and access policy

Visibility: groups and access tags

Roles don't decide which numbers you see — access tags do:

  • A group is an audience of people (Finance, Exec, Marketing, a partner).
  • An access tag marks sensitive cards and defines an audience: the groups allowed to see them.
  • A card with a restricted tag is visible only to that tag's audience. Everyone else simply doesn't see it.

Admins can "view as" a group to preview exactly what that audience sees.

Two layers combine

An Editor can change the canvas but still won't see a card whose access tag excludes their group. Capability and visibility are independent — you need both.

Sharing and redaction

When a canvas, dashboard, or shared link is opened by someone outside a card's audience, that card is redacted — removed from the response and any embed, not just hidden in the browser. Nothing restricted leaks through a share. Owners see a "N restricted metrics are hidden for this audience" affordance so they know what a given viewer gets. Shared and embedded views honor the same visibility as the app, and work alongside the Viewer/Commenter/Editor roles.

Keys and credentials

  • API keys are shown once and stored only as a hash; revoke one and it stops working immediately.
  • Connected-account credentials (for native connectors) are stored encrypted on the server; the browser only ever sees a connection's status, never token material.

Proxy departments (planned)

Planned

A proxy department / scope layer — named proxies you assign to dashboards, groups, and cards with inheritance and overrides — is planned. Today, express visibility directly with groups and access tags.

Next steps

On this page