Guide
Sharing safely
The two permission systems — sharing and access scopes — and how to set up a pod where the right people and the right agents see the right things.
Two systems, not one
Lemma separates who can see a resource from what a worker can touch. Sharing (the Share button) controls people: private, pod members, or the whole organization. Access scopes (the Access section in an agent’s editor) control workers: which tables, folders, tools, and apps that agent may read and act on. Confusing them is the most common permissions mistake — a pod-visible agent can still be scoped to a single table, and a private table can still be granted to an agent everyone uses.
A sane default setup
- Keep resources at pod visibility while you build — drafts stay private until they work.
- Scope every agent from zero: grant only what its job description mentions.
- Put genuinely sensitive tables (salaries, legal) at private visibility and grant them to no agent unless the process demands it.
- Promote finished apps to organization visibility when other teams should use them — the app shows data through its own queries, not the viewer’s permissions, so check what it exposes first.
- Audit quarterly: open each agent’s Access section and remove grants its current job no longer needs.
Who sees what
| Level | Who | Use for |
|---|---|---|
| Private | Only you | Drafts, experiments, sensitive tables |
| Pod | Members of this pod | The default for everything in active use |
| Organization | Anyone in your org | Finished apps and shared reference data |