Workspace builder

Who can use this: Workspace owners grant it; Company employees can hold it URL / Route: edited on /portal/users/{user}/edit Plan / feature gate: Always on

What it is

Workspace builder is the only workspace-wide capability a Company employee can hold. There is exactly one toggle, and one effect:

Workspace builder ON → this Company employee can create new organizations under your workspace. Workspace builder OFF → they cannot create organizations; they can only work inside the orgs you've already created and added them to.

That's the whole feature. It deliberately replaces a previous more complex employee-portal-controls system with a single, clear, workspace-wide toggle.

Who can grant it

Workspace owners (client_owner) can grant or revoke Workspace builder on any Company employee in their workspace
Per-org Managers cannot grant it (it's workspace-level, not org-level)
The owner cannot grant Workspace builder to themselves via the UI — owners already have create-org rights by being owners
The owner cannot grant Workspace builder to an Independent user — Independents never get workspace-wide capabilities

Who it applies to

Only Company-account employees. The toggle is hidden entirely on the edit page for Independent users.

What happens when it's ON

A "Create organization" button appears on the user's Workspace Home
The user can hit /portal/orgs/create and create a new org under your workspace
The new org is owned by your workspace (Client row), not by the employee personally
The employee is automatically added as Owner of the new org (so they can immediately set it up)
Workspace owners are also auto-attached as Owners of the new org (so they keep visibility / control)

What happens when it's OFF

The "Create organization" button is hidden
Direct navigation to /portal/orgs/create is blocked with 403
The employee can still see and use the orgs they've been added to

Step by step — granting it

Open Team in the sidebar (/portal/users).
Click the employee's name to open their edit page (/portal/users/{user}/edit).
Find the Portal Controls section.
Toggle Workspace builder on (or off).
Save (PATCH /portal/users/{user}, route client.users.update).

The change is immediate.

Permissions / restrictions

Both UI rendering and the controller update() call check the gate EmployeePortalControlsService::canManageEmployeePortalControls()
That gate enforces:
1. The actor is client_owner in the workspace
2. The target is a Company-account employee
3. The target is not the actor (no self-toggle)
4. The target belongs to the same workspace as the actor
If any check fails, the toggle is hidden in the UI and rejected by the controller

Behind the scenes

Toggle data: users.employee_controls_json — JSON column with one key, can_create_organizations: true|false
Permission mapping: EmployeePortalControlsService::CONTROL_TO_PERMISSIONS maps can_create_organizations → the Spatie permission create-organization
When the toggle is set, the Spatie permission is granted (givePermissionTo) and revoked accordingly — keeping the toggle the single source of truth

What it is NOT

Not a per-org role. Per-org roles (Owner / Manager / Member / Viewer) are completely separate and stack on top of this toggle. Workspace builder ON does NOT make you a per-org Owner of every org — only of orgs you create yourself.
Not a "make admin" button. It does not grant access to Workspace Settings, billing, or team management. Those are workspace-owner rights.
Not for Independent accounts. Independent users never hold it. The UI hides the section entirely.