diff --git a/src/core/server/saved_objects/service/lib/repository.ts b/src/core/server/saved_objects/service/lib/repository.ts
index 7b033b8e0211..691c57b08970 100644
--- a/src/core/server/saved_objects/service/lib/repository.ts
+++ b/src/core/server/saved_objects/service/lib/repository.ts
@@ -249,6 +249,7 @@ export class SavedObjectsRepository {
       initialNamespaces,
       version,
       workspaces,
+      permissions,
     } = options;
     const namespace = normalizeNamespace(options.namespace);
 
@@ -310,6 +311,7 @@ export class SavedObjectsRepository {
       updated_at: time,
       ...(Array.isArray(references) && { references }),
       ...(Array.isArray(savedObjectWorkspaces) && { workspaces: savedObjectWorkspaces }),
+      ...(permissions && { permissions }),
     });
 
     const raw = this._serializer.savedObjectToRaw(migrated as SavedObjectSanitizedDoc);
diff --git a/src/core/server/saved_objects/service/saved_objects_client.ts b/src/core/server/saved_objects/service/saved_objects_client.ts
index 119aea8b2743..025c2f9cb475 100644
--- a/src/core/server/saved_objects/service/saved_objects_client.ts
+++ b/src/core/server/saved_objects/service/saved_objects_client.ts
@@ -39,6 +39,7 @@ import {
   SavedObjectsFindOptions,
 } from '../types';
 import { SavedObjectsErrorHelpers } from './lib/errors';
+import { Permissions } from '../permission_control/acl';
 
 /**
  *
@@ -68,6 +69,7 @@ export interface SavedObjectsCreateOptions extends SavedObjectsBaseOptions {
    * Note: this can only be used for multi-namespace object types.
    */
   initialNamespaces?: string[];
+  permissions?: Permissions;
 }
 
 /**
diff --git a/src/core/server/workspaces/workspaces_service.ts b/src/core/server/workspaces/workspaces_service.ts
index 44a7fd793545..0c7b536433a3 100644
--- a/src/core/server/workspaces/workspaces_service.ts
+++ b/src/core/server/workspaces/workspaces_service.ts
@@ -17,8 +17,13 @@ import { IWorkspaceDBImpl, WorkspaceAttribute } from './types';
 import { WorkspacesClientWithSavedObject } from './workspaces_client';
 import { WorkspaceSavedObjectsClientWrapper } from './saved_objects';
 import { WORKSPACE_TYPE } from './constants';
-import { MANAGEMENT_WORKSPACE, PUBLIC_WORKSPACE, PermissionMode } from '../../utils';
-import { ACL } from '../saved_objects/permission_control/acl';
+import {
+  MANAGEMENT_WORKSPACE,
+  PUBLIC_WORKSPACE,
+  PermissionMode,
+  DASHBOARD_ADMIN_GROUP,
+} from '../../utils';
+import { ACL, Permissions } from '../saved_objects/permission_control/acl';
 
 export interface WorkspacesServiceSetup {
   client: IWorkspaceDBImpl;
@@ -98,7 +103,8 @@ export class WorkspacesService
   private async checkAndCreateWorkspace(
     internalRepository: ISavedObjectsRepository,
     workspaceId: string,
-    workspaceAttribute: Omit<WorkspaceAttribute, 'id'>
+    workspaceAttribute: Omit<WorkspaceAttribute, 'id'>,
+    permissions?: Permissions
   ) {
     /**
      * Internal repository is attached to global tenant.
@@ -111,6 +117,7 @@ export class WorkspacesService
       try {
         const createResult = await internalRepository.create(WORKSPACE_TYPE, workspaceAttribute, {
           id: workspaceId,
+          permissions,
         });
         if (createResult.id) {
           this.logger.info(`Created workspace ${createResult.id} in global tenant.`);
@@ -122,31 +129,40 @@ export class WorkspacesService
   }
 
   private async setupWorkspaces(startDeps: WorkpsaceStartDeps) {
+    return;
     const internalRepository = startDeps.savedObjects.createInternalRepository();
     const publicWorkspaceACL = new ACL()
       .addPermission([PermissionMode.LibraryRead, PermissionMode.LibraryWrite], {
         users: ['*'],
       })
       .addPermission([PermissionMode.Management], {
-        groups: ['dashboard_admin'],
+        groups: [DASHBOARD_ADMIN_GROUP],
       });
     const managementWorkspaceACL = new ACL()
       .addPermission([PermissionMode.LibraryRead], {
         users: ['*'],
       })
-      .addPermission([PermissionMode.Management], {
-        groups: ['dashboard_admin'],
+      .addPermission([PermissionMode.Management, PermissionMode.LibraryWrite], {
+        groups: [DASHBOARD_ADMIN_GROUP],
       });
 
     await Promise.all([
-      this.checkAndCreateWorkspace(internalRepository, PUBLIC_WORKSPACE, {
-        name: 'public',
-        permissions: publicWorkspaceACL,
-      }),
-      this.checkAndCreateWorkspace(internalRepository, MANAGEMENT_WORKSPACE, {
-        name: 'Management',
-        permissions: managementWorkspaceACL,
-      }),
+      this.checkAndCreateWorkspace(
+        internalRepository,
+        PUBLIC_WORKSPACE,
+        {
+          name: 'public',
+        },
+        publicWorkspaceACL.getPermissions()
+      ),
+      this.checkAndCreateWorkspace(
+        internalRepository,
+        MANAGEMENT_WORKSPACE,
+        {
+          name: 'Management',
+        },
+        managementWorkspaceACL.getPermissions()
+      ),
     ]);
   }
 
diff --git a/src/core/utils/constants.ts b/src/core/utils/constants.ts
index 5ebf5c0af141..423d9ab730a6 100644
--- a/src/core/utils/constants.ts
+++ b/src/core/utils/constants.ts
@@ -23,3 +23,5 @@ export const PUBLIC_WORKSPACE = 'public';
 export const MANAGEMENT_WORKSPACE = 'management';
 
 export const WORKSPACE_FEATURE_FLAG_KEY_IN_UI_SETTINGS = 'workspace:enabled';
+
+export const DASHBOARD_ADMIN_GROUP = 'dashboard_admin';
diff --git a/src/core/utils/index.ts b/src/core/utils/index.ts
index 4118a850c828..d943e7aeebf2 100644
--- a/src/core/utils/index.ts
+++ b/src/core/utils/index.ts
@@ -43,4 +43,5 @@ export {
   PUBLIC_WORKSPACE,
   WORKSPACE_FEATURE_FLAG_KEY_IN_UI_SETTINGS,
   MANAGEMENT_WORKSPACE,
+  DASHBOARD_ADMIN_GROUP,
 } from './constants';