sandbox · example data only · not your workspace
← all scenarios

First-Time Workspace Setup

From zero account to first connected provider in ~10 minutes.

Walks a new operator through workspace creation, team invites, the first cloud connector, and the first read-only scan.

Steps
7
Est. time
~12 min
Audience
public
Reviewed
2026-05-23
engineer · Security Engineerengineer · Allconnector · AWSconnector · Azureconnector · GCP

read first

Getting StartedWorkspace creation, first connector, first scan.
Permissions ModelAWS SetupAzure SetupScanning ModelApproval Workflow

data flow

scenario architecture


   you           workspace          provider
    │                 │                 │
    ├─create─────────▶│                 │
    │                 ├─assume role────▶│  (read-only)
    │◀───inventory────┤                 │
    ├─invite team────▶│                 │
    └─enable engineer▶│                 │
step 1/7·No approval needed

Create the workspace

Pick a workspace name + region. Determines data residency.

visionxixlabs.com/dashboard/onboarding
AAxiom
Sign out

step 1 · preview

Create the workspace

Pick a workspace name + region. Determines data residency.

Behind the scenes

Workspace ids carry a prefix (ws_real_*, ws_sandbox_*, ws_internal_*) which is the platform-wide tenant-kind tag. Demo data is gated by isSandboxWorkspace() and assertNotDemoLeak() so example rows can NEVER leak into a real workspace.

safety invariants in play

  • Tenant isolation Every Prisma read joins on organizationId; cross-tenant probes collapse to 404, never leak.

expected result

Workspace dashboard appears in preview mode.

platform route

/dashboard/onboarding

engineering principle

Setup is intentionally narrow: workspace, team, connector, scan, policy, engineer, report. Each step is reversible from the same surface you set it up on. No multi-page wizards, no irreversible 'configure once' switches.

Platform reference →Architecture overview →← Back to all scenariosSet up your real workspace →