# Private tenant
{% hint style="warning" %}
A tenant can only be configured to be a private tenant at the initial setup. Once a tenant is either private or shared, it cannot be converted to another type.
This setting can be verified in the [Navigation menu](/navigation/navigation-menu.md#user-menu).
{% endhint %}
In a private tenant, folders created on Spark are only visible to the user who created them until explicitly shared with other users and user groups. The sole exception is for members of the `supervisor:pf` group, who have access to see all Folders and Services in Spark by default.
The private tenant feature is best used in conjunction with custom [user groups](/tenant-administration/manage-users.md#user-groups) that are aligned with regional or functional responsibilities in an organization.
## Spark entity permission types
Create, Read, Update, Delete and Execute permissions that are applied to users and users groups for a folder affect the actions that can be taken on the folder and the services within them. The table describes the required permissions to perform key functions in Spark.
{% hint style="info" %}
The table below is meant to be read from left to right. Most actions require combined permissions. For example to delete a folder, you need both `Read` and `Delete` permissions.
Depending on your browser and screen, some of the columns in the table may be hidden. Scroll right at the bottom of the table ➡️ to see the complete details.
{% endhint %}
| Entity | Action | Create | Read | Update | Delete | Execute |
|---|
| | | | | | |
| Folder | Clone | | ✅ | | | |
| Download | | ✅ | | | |
| Delete | | ✅ | | ✅ | |
| Edit | | ✅ | ✅ | | |
| Favorite | ✅ | ✅ | ✅ | | |
| New folder | ✅ | ✅ | | | |
| View | | ✅ | | | |
| | | | | | |
| Service | Add service | ✅ | ✅ | ✅ | | |
| Add version | ✅ | ✅ | ✅ | | |
| Analyze with AI | | ✅ | | | |
| API Call History | | ✅ | | | |
| API Tester | | ✅ | | | ✅ |
| Compare versions | | ✅ | | | |
| Delete | | ✅ | | ✅ | |
| Delete service version | | ✅ | | ✅ | |
| Deployment Request | | ✅ | | | |
| Download | | ✅ | | | |
| /batch
/execute
/metadata
/SPARK_XCALL
/validation
| | ✅*
see #execute-only-permissions | | | ✅ |
| Edit service version | | ✅ | ✅ | | |
| Favorite | ✅ | ✅ | ✅ | | |
| Recompile | ✅ | ✅ | ✅ | | |
| Restore version | ✅ | ✅ | ✅ | | |
| Update service properties | | ✅ | ✅ | | |
| View | | ✅ | | | |
| | | | | | |
| Transform | Add | ✅ | ✅ | ✅ | | |
| Delete | | ✅ | | ✅ | |
| Execute | | ✅ | | | ✅ |
| Edit | | ✅ | ✅ | | |
| Update | | ✅ | ✅ | | |
| | | | | | |
| Testbed | Add additional test cases | | ✅ | ✅ | | |
| Aggregate | ✅ | ✅ | | | ✅ |
| Delete | | ✅ | | ✅ | |
| Download | | ✅ | | | |
| Favorite | ✅ | ✅ | ✅ | | |
| Run | ✅ | ✅ | | | ✅ |
| Test case generation | ✅ | ✅ | | | ✅ |
| Upload | ✅ | ✅ | | | |
| View | | ✅ | | | |
| | | | | | |
| Testbed results | Compare results | | ✅ | | | |
| Delete | | ✅ | | ✅ | |
| Download | | ✅ | | | |
| Upload test results | ✅ | ✅ | | | |
| View | | ✅ | | | |
| | | | | | |
| Document section | Add | ✅ | ✅ | ✅ | | |
| Delete | | ✅ | ✅ | ✅ | |
| Edit | ✅ | ✅ | ✅ | | |
| View | | ✅ | | | |
| | | | | | |
| Document | Delete | | ✅ | | ✅ | |
| Download | | ✅ | | | |
| Move to | ✅ | ✅ | ✅ | | |
| New document | ✅ | ✅ | ✅ | | |
| Update | | ✅ | ✅ | | |
| View | | ✅ | | | |
### supervisor role
When a new folder is created, the user group `supervisor:pf` is assigned to the folder by default with all of the permission types applied. This means by default, users included in the `supervisor:pf` user group have access to all folders and services in Spark.
If the user who creates the folder is a member of other user groups, the supervisors of those user groups will also be granted access to manage this folder. For example, if a user is a member of `user:team3` creates a folder, the folder will also be accessible by the user group `supervisor:team3`.
### `execute` only permissions
It is possible to make calls to `/batch`, `/execute`, `/metadata`, `SPARK_XCALL()`, `/validation` with only `execute` permissions and without `read` permissions.
This requires configuration from Coherent. Contact [Support](/support/support.md) for more information.
## Set permissions on folders
In private tenants, permissions for folders can be assigned:
1. [#directly-to-user-accounts](#directly-to-user-accounts "mention")
2. [#to-user-groups](#to-user-groups "mention")
3. [#to-api-key-groups](#to-api-key-groups "mention")
4. [#to-service-accounts-oauth2-client-credentials](#to-service-accounts-oauth2-client-credentials "mention")
### Directly to user accounts
To assign permissions, you must either be the owner of the folder or a member of the `supervisor:pf` group. Follow these steps:
1. Click on the folder, then click on the "three-dot menu" to access the options and select *Set Permissions*.
2. Type in the email address of the account you would like to add. If configured, you will also see that you can choose a user or group from the typeahead list. Set the necessary permissions for the user.
3. Click **Done**.
4. The user account specified in Step 3 will now have access to the folder.
### To user groups
To assign permissions, you must either be the owner of the folder or a member of the `supervisor:pf` group. To create a user group, you must be a member of the `tenant-admin` group.
1. Navigate to the menu on the top right corner (button with your initials) and select *Options*.
2. In the menu bar on the left-hand side, select *User groups* and click on *Add user group*.
3. Enter a group name. The user group name MUST start with the prefix `user:`. For example, `user:example-user-group`. Fill in the description, add all necessary users, and click **Submit.**
4. Navigate back to the folder, then click on the triple dot action button to access the folder options and select *Set permissions*.
5. Type in the user group you would like to add. If configured, you will also see that you can choose a user or group from the typeahead list. Set the necessary permissions for the user.
6. Click **Done**.
7. The user group added should now have access to this folder.
### To API key groups
To create an API key group, you must be a member of the `tenant-admin` user group.
Prerequisite: a user group exists and is assigned to a folder ([#to-user-groups](#to-user-groups "mention")).
1. Navigate to the menu on the top right corner (button with your initials) and select *Options.*
2. Go to the page *API keys*.
3. Click *New API Key group*.
4. Enter the key group name, description, the user group you assigned to the folder from [#to-user-groups](#to-user-groups "mention"), and click on **Create**.
5. You can now generate a key in the API key group and make calls to the services within the folder using the `x-synthetic-key` request header. (See [Authorization - API keys](/spark-apis/authorization-api-keys.md)).
### To service accounts (OAuth2 client credentials)
Service accounts can also be given permissions directly, without the need for "dummy" users. This is especially useful for CI/CD operations, or tasks involving interactions with non-public APIs. For complete instructions, see [Client Credentials grant (OAuth 2.0)](/identity-and-access-management/client-credentials/client-credentials-grant-oauth-2.0.md).
## Set permissions on folders via API
The use of this functionality requires using an access token with sufficient privileges, either [Authorization - Bearer token](/spark-apis/authorization-bearer-token.md) or [Broken mention](broken://pages/Dx1VW4Wsqbw72hKR5spG).
1. First get the ID of the folder.
1. Send a `POST` request to the following endpoint: `https://excel.{environment}/api/v1/product/list`.
2. In the request headers, include in `Authorization` a bearer token.
3. Include the following JSON payload in the request body:
```json
{
"search":[
{
"field": "name",
"value": "{Folder}"
}
]
}
```
4. Copy the `id` from the response body after sending the `POST` request above. It should look something like this: {
```json
"data": [
{
"id": "a8d98bbf-e5aa-44ce-ad90-cebe728c7776"
"name: "Demo",
...
}
]
```
2. To assign permissions to the folder:
1. Send a `POST` request to the following endpoint: `https://excel.{environment}/api/v1/entitypermission/setentitypermission`. In the request headers, include in `Authorization` a bearer token.
2. Include the following JSON payload in the request body:
{
"entityID": "{Folder_ID}",
"remove": {true or false based on if you want to assign these rights},
"create": {true or false based on if you want to assign these rights},
"update": {true or false based on if you want to assign these rights},
"execute": {true or false based on if you want to assign these rights},
"read": {true or false based on if you want to assign these rights},
"members": "{List of users, groups, credentials separated by comma}"
}
* If the member is created from [Client Credentials](/identity-and-access-management/client-credentials.md), then use the Client Credential which should include the `service-account` prefix.
3. An example of the JSON payload is as follows:
```json
{
"entityID": "a8d98bbf-e5aa-44ce-ad90-cebe728c7776",
"remove": true,
"create": true,
"update": false,
"execute": true,
"read": true,
"members": "bob@amunet.com.au, user:pf, service-account-cc-folder-level"
}
```
3. After completing the steps above, you should observe the changes in the folder you've chosen in the *Set permissions* dialog.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.coherent.global/tenant-administration/private-tenant.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.