Understanding Space Access Control and Inheritance

Last updated: July 22, 2025

This article explains how access control and inheritance work between parent and child spaces in Spacelift, and how to manage user visibility to spaces and stacks.

How Inheritance Works

By default, when inheritance is enabled in a space:

Users with access to a child space automatically inherit read access to all parent spaces, including the root space
This upward inheritance cannot be overridden - it's a core behavior of the system
Child spaces can still access shared resources (like contexts and policies) from parent spaces

Disabling Inheritance

When inheritance is disabled for a space:

Users will not have access to parent or root spaces by default
The space itself will also lose access to shared resources from parent spaces
This may cause errors if the space depends on globally shared resources like contexts or policies

Note: Disabling inheritance affects both user access and space resource sharing. If your setup relies on shared resources from parent spaces, disabling inheritance may not be the best solution for controlling user visibility.

Advanced Access Control

For more granular control over space and stack visibility, Spacelift is developing Advanced Access Control (AAC) capabilities that will allow:

More fine-grained permissions at the stack level
The ability to craft custom roles with specific access patterns
Maintaining access to shared resources while controlling user visibility

For more information about current inheritance behavior, see the Access Control documentation.