How to Create a Locked-Down Deployment with Restricted Access

Last updated: November 25, 2025

Overview

If you need to deploy an application with restricted access for regulatory, security, or privacy purposes, you can use workspace-level isolation to ensure only authorized users can access the deployment and its resources.

Solution: Workspace-Scoped Access Control

Deployments in LangSmith are workspace-scoped, meaning access is automatically restricted to workspace members. By creating a dedicated workspace and limiting membership, you can ensure your deployment remains secure and isolated.

Step-by-Step Guide

1. Create a New Workspace

Create a dedicated workspace within your organization specifically for the restricted deployment:

  • Navigate to your organization settings

  • Create a new workspace with a descriptive name

  • This workspace will serve as the isolated environment for your deployment

2. Invite Only Authorized Users

Restrict workspace access by only inviting users who need access to the deployment:

  • Add only the specific individuals who require access

  • Do not add additional members unless necessary

  • Each workspace member will automatically have access to all deployments within that workspace

3. Deploy Your Application

Deploy your application to the newly created restricted workspace:

  • Deploy your fork or application to the dedicated workspace

  • The deployment and all its resources (including sensitive documents) will be automatically scoped to workspace members only

  • No users outside the workspace can see or access the deployment

4. Configure Role-Based Access Control (Enterprise)

For Enterprise plans, you can further refine permissions within the workspace using RBAC:

  • Viewer: Read-only access to deployments

  • Editor: Can modify and manage deployments

  • Admin: Full control over workspace settings and members

This allows you to grant different permission levels even within the restricted workspace.

Access Control Behavior

Once configured:

  • Only workspace members can see the deployment

  • Only workspace members can access deployment resources

  • Only workspace members can interact with the deployed application

  • Users outside the workspace cannot discover or access the deployment

  • Organization-level visibility does not extend to workspace-scoped deployments

Use Cases

This approach is ideal for:

  • Regulatory Compliance: Deployments that handle regulated data requiring limited access

  • Sensitive Documents: Applications processing confidential or proprietary information

  • Internal Tools: Restricted-access tools for specific teams or projects

  • Client Projects: Isolated deployments for specific clients with confidentiality requirements

  • Testing Environments: Secure testing with sensitive production data

Additional Resources

Best Practices

  1. Principle of Least Privilege: Only add users who absolutely need access

  2. Regular Audits: Periodically review workspace membership to ensure it remains current

  3. Use RBAC: Assign the minimum permission level required for each user's role

  4. Document Access: Maintain a record of who has access and why for compliance purposes

  5. Separate Workspaces: Don't reuse restricted workspaces for other projects to maintain isolation

Summary

To create a locked-down deployment:

  1. Create a dedicated workspace in your organization

  2. Invite only authorized users to that workspace

  3. Deploy your application to the restricted workspace

  4. Optionally configure RBAC for fine-grained permissions

This workspace-scoped approach provides automatic access control without requiring additional configuration, making it the recommended method for deployments requiring restricted access.