User experience container level identity federation and content security

What is claimed is: 1. A method for controlling display of a workspace, comprising: during a shared collaboration session sharing the workspace with multiple client nodes, executing a protocol to establish a first level authorization at a display client on a network node participating in the shared collaboration session for a participant operative identity (OID), the first level authorization enabling access to a workspace data set of the workspace during the shared collaboration session, the workspace data set having a plurality of entries that identify respective digital assets and locations in the workspace for graphical objects representing the respective digital assets, and wherein the plurality of entries includes a particular entry identifying a particular digital asset requiring a second level authorization; parsing the workspace data set to identify entries for digital assets having locations within a client viewport region of the workspace; displaying graphical objects on a display at the display client representing the identified digital assets accessible with the first level authorization; for the particular digital asset, communicating with an authorization server to return a result indicating status of second level authorization, and in response to a status indication that second level authorization is not established, displaying a placeholder graphical object at the display client, and in response to a status indication that second level authorization is established, displaying a graphical object representing the particular digital asset at the display client; and, when a placeholder graphical object is displayed, presenting a user interface object at the display client prompting execution of a protocol to establish second level authorization, and in dependence upon establishment of the second level authorization, replacing the placeholder graphical object with the graphical object representing the particular digital asset. 2. The method of claim 1 , wherein the particular digital asset is a file stored by a resource server, and the graphical object is controlled by an external resource server. 3. The method of claim 1 , wherein the particular digital asset is a file stored by a resource server, and the graphical object representing the particular digital asset is a thumbnail object. 4. The method of claim 1 , wherein the particular entry includes a resource link identifying the particular digital asset, and the communicating with the authorization server includes sending the resource link to the authorization server. 5. The method of claim 1 , wherein the protocol to establish second level authorization includes presenting a request login prompt with the placeholder graphical object, selection of which launches a user interface object for login of the display client to a resource server storing the particular digital asset. 6. The method of claim 1 , wherein the protocol to establish second level authorization includes presenting a request permission prompt with the placeholder graphical object, selection of which launches a user interface object for requesting permission from an owner account for access to the particular digital asset from a resource server storing the particular digital asset. 7. The method of claim 1 , including displaying a prompt on the display for adding a digital asset to the workspace, and in response to the prompt, executing the second level authorization protocol to deliver a resource access token for the added digital asset requiring second level authorization to the authorization server with a scope of permissions for the participant OID, and adding an entry to the workspace data set including a resource link identifying the added digital asset. 8. The method of claim 7 , wherein the resource link identifying the added digital asset includes an owner account identifier, a storage server identifier, and an access scope identifier. 9. The method of claim 7 , wherein the resource link identifying the added digital asset includes an owner account identifier, a storage server identifier, an access group identifier, and an access scope identifier. 10. The method of claim 1 , wherein the workspace includes a canvas object defining a region in the workspace, and the workspace data set includes entries for digital assets having locations within the region defined by the canvas object; and the method further including: displaying, at the display client, a placeholder canvas graphical object and a canvas access prompt for requesting access to digital assets in the region defined by the canvas object; and detecting user input indicating selection of the canvas access prompt, and in response executing a protocol to establish a canvas second level authorization; and in dependence upon establishment of the canvas second level authorization, replacing the placeholder canvas graphical object with graphical objects representing the digital assets having locations within the region defined by the canvas object. 11. A system including one or more processors coupled to memory, the memory loaded with computer instructions to control display of a workspace, the instructions, when executed on the processors, implement actions comprising: during a shared collaboration session sharing the workspace with multiple client nodes, executing a protocol to establish a first level authorization at a display client on a network node participating in the shared collaboration session for a participant operative identity (OID), the first level authorization enabling access to a workspace data set of the workspace during the shared collaboration session, the workspace data set having a plurality of entries that identify respective digital assets and locations in the workspace for graphical objects representing the respective digital assets, and wherein the plurality of entries includes a particular entry identifying a particular digital asset requiring a second level authorization; parsing the workspace data set to identify entries for digital assets having locations within a client viewport region of the workspace; displaying graphical objects on a display at the display client representing the identified digital assets accessible with the first level authorization; for the particular digital asset, communicating with an authorization server to return a result indicating status of second level authorization, and in response to a status indication that second level authorization is not established, displaying a placeholder graphical object at the display client, and in response to a status indication that second level authorization is established, displaying a graphical object representing the particular digital asset at the display client; and, when a placeholder graphical object is displayed, presenting a user interface object at the display client prompting execution of a protocol to establish second level authorization, and in dependence upon establishment of the second level authorization, replacing the placeholder graphical object with the graphical object representing the particular digital asset. 12. The system of claim 11 , wherein the particular digital asset is a file stored by a resource server, and the graphical object is controlled by an external resource server. 13. The system of claim 11 , wherein the particular digital asset is a file stored by a resource server, and the graphical object representing the particular digital asset is a thumbnail object. 14. The system of claim 11 , wherein the particular entry includes a resource link identifying the part