# Sharing and access control > Sharing and access control - sharedRoles on Workloads and how access propagates. This Markdown file sits beside the HTML page at the same path (with a `.md` suffix). It summarizes the topic and lists links for tools and LLM context. Companion generated at `2026-06-22T16:50:38.254596+00:00` (UTC). ## Primary page - [Sharing and access control](https://docs.datarobot.com/en/docs/workload-api/operate-workloads/sharing-access-control.html.md): Full documentation for this topic (Markdown sidecar). ## Sections on this page - [Available roles](https://docs.datarobot.com/en/docs/workload-api/operate-workloads/sharing-access-control.html.md#sharing-roles): In-page section heading. - [Update shared roles](https://docs.datarobot.com/en/docs/workload-api/operate-workloads/sharing-access-control.html.md#update-shared-roles): In-page section heading. - [Artifacts and artifact repositories](https://docs.datarobot.com/en/docs/workload-api/operate-workloads/sharing-access-control.html.md#artifact-repository-sharing): In-page section heading. ## Related documentation - [Workload API](https://docs.datarobot.com/en/docs/workload-api/index.html.md): Linked from this page. - [Operate running Workloads](https://docs.datarobot.com/en/docs/workload-api/operate-workloads/index.html.md): Linked from this page. - [Artifact concepts](https://docs.datarobot.com/en/docs/workload-api/build-artifacts/artifacts-concepts.html.md): Linked from this page. - [REST: artifacts and repositories](https://docs.datarobot.com/en/docs/workload-api/build-artifacts/artifacts-rest-endpoints.html.md): Linked from this page. ## Documentation content Workloads support shared roles via `GET /workloads/{workload_id}/sharedRoles` and `PATCH /workloads/{workload_id}/sharedRoles`. A shared role grants a user, group, or organization a specific access level on the Workload. ## Available roles The Workload API exposes three sharing roles: | Role | Access level | | --- | --- | | owner | Full control, including deletion and re-sharing. | | user | Invoke and read. The standard production-consumer role. | | consumer | Invoke only; cannot read full configuration or statistics. | Shared roles propagate to events, statistics, and the `/protons/` sub-resource so collaborators see the same telemetry and lifecycle as owners. ## Update shared roles `PATCH /workloads/{workload_id}/sharedRoles` replaces the current shared role list. You can set up to 100 entries in a single request, and each entry identifies the recipient by `id` (with `shareRecipientType`) or by `username` (for users). ``` curl -X PATCH "${DATAROBOT_ENDPOINT}/workloads/${WORKLOAD_ID}/sharedRoles" \ -H "Authorization: Bearer ${DATAROBOT_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{ "operation": "updateRoles", "roles": [ {"id": "USER_ID", "role": "user", "shareRecipientType": "user"}, {"username": "alice@example.com", "role": "consumer", "shareRecipientType": "user"} ] }' ``` `shareRecipientType` accepts `user`, `group`, `organization`, or `role`. ## Artifacts and artifact repositories Artifacts and artifact repositories use the same `sharedRoles` pattern for registry governance: | Resource | Shared role endpoints | | --- | --- | | Artifact | GET /artifacts/{artifact_id}/sharedRoles, PATCH /artifacts/{artifact_id}/sharedRoles. | | Artifact repository | GET /artifactRepositories/{artifact_repository_id}/sharedRoles, PATCH /artifactRepositories/{artifact_repository_id}/sharedRoles. | See [Artifact concepts](https://docs.datarobot.com/en/docs/workload-api/build-artifacts/artifacts-concepts.html.md) and [REST: artifacts and repositories](https://docs.datarobot.com/en/docs/workload-api/build-artifacts/artifacts-rest-endpoints.html.md).