diff --git a/src/core/server/workspaces/workspaces_service.ts b/src/core/server/workspaces/workspaces_service.ts
index 1e8173e3a411..44a7fd793545 100644
--- a/src/core/server/workspaces/workspaces_service.ts
+++ b/src/core/server/workspaces/workspaces_service.ts
@@ -17,7 +17,8 @@ import { IWorkspaceDBImpl, WorkspaceAttribute } from './types';
 import { WorkspacesClientWithSavedObject } from './workspaces_client';
 import { WorkspaceSavedObjectsClientWrapper } from './saved_objects';
 import { WORKSPACE_TYPE } from './constants';
-import { MANAGEMENT_WORKSPACE, PUBLIC_WORKSPACE } from '../../utils';
+import { MANAGEMENT_WORKSPACE, PUBLIC_WORKSPACE, PermissionMode } from '../../utils';
+import { ACL } from '../saved_objects/permission_control/acl';
 
 export interface WorkspacesServiceSetup {
   client: IWorkspaceDBImpl;
@@ -122,13 +123,29 @@ export class WorkspacesService
 
   private async setupWorkspaces(startDeps: WorkpsaceStartDeps) {
     const internalRepository = startDeps.savedObjects.createInternalRepository();
+    const publicWorkspaceACL = new ACL()
+      .addPermission([PermissionMode.LibraryRead, PermissionMode.LibraryWrite], {
+        users: ['*'],
+      })
+      .addPermission([PermissionMode.Management], {
+        groups: ['dashboard_admin'],
+      });
+    const managementWorkspaceACL = new ACL()
+      .addPermission([PermissionMode.LibraryRead], {
+        users: ['*'],
+      })
+      .addPermission([PermissionMode.Management], {
+        groups: ['dashboard_admin'],
+      });
 
     await Promise.all([
       this.checkAndCreateWorkspace(internalRepository, PUBLIC_WORKSPACE, {
         name: 'public',
+        permissions: publicWorkspaceACL,
       }),
       this.checkAndCreateWorkspace(internalRepository, MANAGEMENT_WORKSPACE, {
         name: 'Management',
+        permissions: managementWorkspaceACL,
       }),
     ]);
   }