Fine-Grained Access Controls for Spaces

Who can use this feature?
- Requires an Enterprise plan.
- During setup, Admins configure FGAC; once enforcement is enabled, Space Editors and Owners manage access within their own spaces.
- FGAC for Spaces is currently in Early Access and becomes generally available for all Enterprise customers on July 29, 2026.

Fine-Grained Access Controls (FGAC) for Spaces give you control over who can view and edit the analytics in your Fullstory organization. Instead of every user seeing every space, you decide which teams and individuals can access each space and what they can do inside it.

The permission model works like sharing in most document collaboration tools:

  • Owner: Has all the permissions of Can edit, and can also delete the space.
  • Can edit: View and modify analytics objects in the space, and manage the space's sharing settings.
  • Can view: View analytics objects in the space, but can't modify them.

Permissions cascade from the space to the objects inside it. If a user has Can view on a space, they have Can view on every dashboard, segment, metric, and funnel in that space. If a user belongs to multiple groups with different permissions on the same space, they get the highest permission across those groups.

Availability and rollout

FGAC for Spaces is currently in Early Access and becomes generally available for all Enterprise customers on July 29, 2026. Rollout happens in two phases so you can configure everything before it affects anyone.

  • Setup phase (July 29 – November 2, 2026): All Enterprise organizations are automatically enrolled. Admins can configure groups and space permissions risk-free—no one's access changes during this phase.
  • Enforcement phase: All organizations are automatically enrolled in enforcement on November 2, 2026, at which point users become subject to the permissions you've configured. Admins can enable enforcement earlier using a one-way toggle in Settings—once enabled, this can't be undone.

During Early Access, the Fullstory account team enables admin-only access to Groups and sharing controls on your behalf. Only admins see these controls until you're ready to move forward.

Manage access to a space

You can manage access to a space in two places: from the Groups for Fine-Grained Access Controls page, where you grant a group access to multiple spaces at once, and from within an individual space, where the Share dialog lets you grant access to both individuals and groups. To manage access from within a space:

  1. Open the space and click the Share button in the upper right.
  2. Search for users or groups by name and add them with a permission level (Can view or Can edit).
  3. Adjust permissions for anyone already listed by clicking their permission dropdown.
  4. Set the General access default at the bottom of the dialog. This controls what any user in the org gets by default: Can view, Can edit, or No access.
  5. Click Save.

Share space modal when viewed from an individual Space > Share button

What happens during enforcement

When enforcement goes live for your organization:

  • Spaces stay discoverable: Users can see that a space exists in the nav, but can't access its contents without permission.
  • Library filters automatically: Users only see objects from spaces they're authorized to access.
  • Deep links are protected: If someone shares a direct link to a dashboard, metric, or other object in a space the recipient doesn't have access to, they'll see a message letting them know who owns the space so they can request access.
  • Permissions are dynamic: If an analytics object is moved from one space to another, the user's access to that object updates immediately based on the permissions of the new space.

Frequently Asked Questions

Are properties, events, and pages still shared?

Yes. FGAC for Spaces controls access to analytics objects, not data definitions. Properties, events, pages, and elements remain visible to everyone. They're the shared building blocks any team can use within the spaces they have access to.

How do I automate group management?

Fullstory supports SCIM for automating group lifecycle management. With SCIM, changes to groups in your identity provider are automatically reflected in Fullstory. See Configuring SCIM for Automated User Provisioning in Fullstory for setup instructions.

What if a user belongs to multiple groups with different permissions on the same space?

They get the highest permission. If one group has Can view and another has Can edit, a user who belongs to both groups gets Can edit.

Can I set permissions on individual objects within a space?

No. Permissions are set at the space level and cascade to all objects inside it. If you need different access levels for different analytics, organize them into separate spaces.


Was this article helpful?

Got Questions?

Get in touch with a Fullstory rep, ask the community or check out our developer documentation.